Skip to main content

Open Redirect CVE-2026-34847

| EUVD-2026-18534 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-04-02 GitHub_M
Open Redirect
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.3.0
EUVD ID Assigned
Apr 02, 2026 - 20:16 euvd
EUVD-2026-18534
Analysis Generated
Apr 02, 2026 - 20:16 vuln.today
CVE Published
Apr 02, 2026 - 19:19 nvd
MEDIUM 4.7

DescriptionGitHub Advisory

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has been patched in version 2026.3.0.

AnalysisAI

Hoppscotch prior to version 2026.3.0 contains a DOM-based open redirect vulnerability in the /enter page that allows unauthenticated remote attackers to redirect users to arbitrary external URLs through an unvalidated redirect query parameter. The vulnerability requires user interaction (clicking a malicious link) and has limited impact (integrity only), but poses a real phishing risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment While the CVSS score of 4.7 is below the critical threshold, real-world risk is moderate and context-dependent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a phishing email to Hoppscotch users containing a link like https://hoppscotch.io/enter?redirect=https://attacker.com/phishing. When a user clicks the link, the unvalidated redirect parameter automatically redirects them to the attacker's phishing page designed to mimic a legitimate login form. …
Remediation Vendor-released patch: Upgrade to Hoppscotch version 2026.3.0 or later, which contains the fix for the redirect query parameter validation. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM
6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire
CVE-2026-45566 MEDIUM
6.1 Jun 10

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authent
CVE-2026-50089 MEDIUM
6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara
CVE-2026-10837 MEDIUM
5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM
5.1 Jun 17

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to

Share

CVE-2026-34847 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy