Which versions of Hoppscotch are affected by EUVD-2026-18540?

Hoppscotch API development platform versions before 2026.3.0 contain a stored XSS vulnerability allowing unauthenticated attackers to inject malicious scripts into shared workspaces that execute in…. A patch is available.

How to fix or mitigate EUVD-2026-18540?

Within 24 hours: Identify all Hoppscotch instances and document current versions in use. Within 7 days: Upgrade all Hoppscotch deployments to version 2026.3.0 or later; verify patch application across all environments (on-premise, SaaS, containerized). Within 30 days: Conduct audit of workspace/collection access logs to identify any suspicious payload injections prior to patching; reset API credentials for users who may have accessed potentially compromised workspaces.

Hoppscotch EUVD-2026-18540

Q: What is the CVSS score of EUVD-2026-18540?

EUVD-2026-18540 has a CVSS 4.0 base score of 8.5 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-34932 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-04-02 GitHub_M

CSRF XSS Hoppscotch

8.5

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.5 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:07 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2026.3.0

EUVD ID Assigned

Apr 02, 2026 - 20:16 euvd

EUVD-2026-18540

Analysis Generated

Apr 02, 2026 - 20:16 vuln.today

CVE Published

Apr 02, 2026 - 19:19 nvd

HIGH 8.5

DescriptionGitHub Advisory

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0.

AnalysisAI

Stored cross-site scripting (XSS) in Hoppscotch versions prior to 2026.3.0 enables remote attackers to execute arbitrary JavaScript in victim browsers without authentication, potentially escalating to cross-site request forgery (CSRF) attacks against authenticated users. CVSS 8.5 (High) reflects network accessibility with low complexity but user interaction required. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Inject malicious script into API request field

Delivery

Store payload in Hoppscotch database

Exploit

Victim visits affected request

Execution

XSS executes in victim's browser

Persist

Steal session tokens via CSRF

Impact

Perform unauthorized actions