Hoppscotch
CVE-2024-27092
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6.
AnalysisAI
Hoppscotch is an API development ecosystem. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-20. Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6. Affected products include: Hoppscotch.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Hoppscotch
View allUnauthenticated infrastructure overwrite in Hoppscotch API development ecosystem before 2026.2.0. Attackers can overwrit
hoppscotch is an open source API development ecosystem. Rated high severity (CVSS 8.8), this vulnerability is remotely e
Hoppscotch prior to version 2026.2.0 contains authorization bypass vulnerabilities in its environment management APIs th
hoppscotch is an open source API development ecosystem. [CVSS 6.5 MEDIUM]
Unauthenticated mass assignment in Hoppscotch self-hosted exposes the JWT_SECRET and SESSION_SECRET to full attacker con
Stored cross-site scripting (XSS) in Hoppscotch versions prior to 2026.3.0 enables remote attackers to execute arbitrary
Stored cross-site scripting (XSS) in Hoppscotch prior to version 2026.3.0 allows authenticated users to inject malicious
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke e
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today