Hoppscotch
CVE-2023-34097
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database password is exposed in the logs when showing the database connection string. Attackers with access to read system logs will be able to elevate privilege with full access to the database. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
hoppscotch is an open source API development ecosystem. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-532. hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database password is exposed in the logs when showing the database connection string. Attackers with access to read system logs will be able to elevate privilege with full access to the database. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Hoppscotch. Version information: prior to 2023.4.5.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Hoppscotch
View allUnauthenticated infrastructure overwrite in Hoppscotch API development ecosystem before 2026.2.0. Attackers can overwrit
Hoppscotch prior to version 2026.2.0 contains authorization bypass vulnerabilities in its environment management APIs th
hoppscotch is an open source API development ecosystem. [CVSS 6.5 MEDIUM]
Unauthenticated mass assignment in Hoppscotch self-hosted exposes the JWT_SECRET and SESSION_SECRET to full attacker con
Hoppscotch is an API development ecosystem. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable
Stored cross-site scripting (XSS) in Hoppscotch versions prior to 2026.3.0 enables remote attackers to execute arbitrary
Stored cross-site scripting (XSS) in Hoppscotch prior to version 2026.3.0 allows authenticated users to inject malicious
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke e
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today