{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34932", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T17:27:08.659Z", "datePublished": "2026-04-02T19:19:15.697Z", "dateUpdated": "2026-04-06T14:07:40.655Z"}, "containers": {"cna": {"title": "hoppscotch: Stored XSS via mock server responses on backend origin", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-wj4r-hr4h-g98v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-wj4r-hr4h-g98v"}, {"name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0"}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"version": "< 2026.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:19:15.697Z"}, "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0."}], "source": {"advisory": "GHSA-wj4r-hr4h-g98v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-04T03:55:32.332276Z", "id": "CVE-2026-34932", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T14:07:40.655Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34932", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-04T03:55:32.332276Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T15:39:40.363Z"}}], "cna": {"title": "hoppscotch: Stored XSS via mock server responses on backend origin", "source": {"advisory": "GHSA-wj4r-hr4h-g98v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"status": "affected", "version": "< 2026.3.0"}]}], "references": [{"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-wj4r-hr4h-g98v", "name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-wj4r-hr4h-g98v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:19:15.697Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34932", "state": "PUBLISHED", "dateUpdated": "2026-04-06T14:07:40.655Z", "dateReserved": "2026-03-31T17:27:08.659Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T19:19:15.697Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FF217CC-EE39-4462-91B1-AA13EDECFF36", "versionEndExcluding": "2026.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0."}], "id": "CVE-2026-34932", "lastModified": "2026-04-15T17:23:38.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T20:16:28.973", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-wj4r-hr4h-g98v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "hoppscotch", "source": "cna", "vendor": "hoppscotch"}, "product": "hoppscotch", "vendor": "hoppscotch"}], "analysis": {"en": {"generated_at": "2026-04-02T22:49:06.551046+00:00", "value": {"mitigation_remediation": ["Upgrade hoppscotch to version 2026.3.0 or later."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting potentially leading to CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects any deployment of hoppscotch that utilizes the mock server feature, specifically versions released before 2026.3.0. All users of the hoppscotch ecosystem running an earlier release are subject to the stored XSS risk. The remediation is provided in the 2026.3.0 release, which removes the exploitable code path.", "description_and_impact": "A stored cross\u2011site scripting flaw is present in the mock server functionality of the hoppscotch API development ecosystem. The flaw allows an attacker to embed malicious script into a mock server response that is served from the backend origin. When a user loads the affected response, the injected script runs in the user\u2019s browser with the user\u2019s credentials, enabling unauthorized manipulation of the page and execution of additional actions such as submitting forms or accessing session data. Due to the script\u2019s ability to perform actions on behalf of the user, it can also facilitate cross\u2011site request forgery attacks, further compromising the integrity and confidentiality of the user\u2019s data.", "risk_and_exploitability": "With a CVSS score of 8.5 the flaw is considered high severity. Although an EPSS score is not available and it is not listed in the CISA KEV catalog, the nature of stored XSS means that an attacker can embed payloads that survive until a user interacts with the mock response. Successful exploitation requires the victim to view a crafted response, which makes the attack public\u2011web friendly in environments where the mock server is exposed to external users. Organizations should treat this as a high\u2011risk vulnerability and apply the patch promptly to eliminate the possibility of script injection and the secondary risk of CSRF."}}}}, "created": "2026-04-03T07:31:24.397854+00:00", "updated": "2026-04-03T09:16:19.879152+00:00", "vendors": ["hoppscotch", "hoppscotch$PRODUCT$hoppscotch"]}