Skip to main content

Hoppscotch EUVDEUVD-2026-42653

| CVE-2026-59721 HIGH
Command Injection (CWE-77)
2026-07-09 security-advisories@github.com
7.2
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Admin-only infra mutation makes PR:H; network-reachable GraphQL with a straightforward payload gives AV:N/AC:L, and root command execution yields full C/I/A:H.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 19:01 EUVD
Analysis Generated
Jul 09, 2026 - 18:38 vuln.today

DescriptionCVE.org

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILER_SMTP_URL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into sendmail transport options, allowing an admin to execute arbitrary commands as root in the backend container after restart and mail sending. This issue is fixed in version 2026.6.0.

AnalysisAI

Command injection in self-hosted Hoppscotch instances prior to 2026.6.0 allows an authenticated administrator to achieve root-level code execution in the backend container. The updateInfraConfigs GraphQL mutation accepts an attacker-controlled MAILER_SMTP_URL whose path, query, or fragment is parsed by nodemailer into sendmail transport options, turning SMTP configuration into arbitrary command execution once the service restarts and sends mail. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin GraphQL access
Delivery
Submit updateInfraConfigs with malicious MAILER_SMTP_URL
Exploit
Bypass validateSMTPUrl via path/query/fragment
Execution
Inject nodemailer sendmail options
Persist
Trigger restart and mail send
Impact
Execute arbitrary command as root

Vulnerability AssessmentAI

Exploitation Requires an authenticated admin account able to call the updateInfraConfigs GraphQL mutation (CVSS PR:H), so this is not exploitable by anonymous users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - network-reachable, low-complexity, no user interaction, but gated behind high privileges (PR:H), namely an existing admin account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Hoppscotch admin access (via credential theft, a rogue administrator, or a chained flaw) submits an updateInfraConfigs GraphQL mutation setting MAILER_SMTP_URL to a crafted value whose fragment or query embeds sendmail transport options pointing at an arbitrary command. After the backend restarts and the next email is dispatched, nodemailer executes the injected command as root inside the container. …
Remediation Vendor-released patch: 2026.6.0 - upgrade all self-hosted Hoppscotch backend containers to 2026.6.0 or later, which corrects validateSMTPUrl to reject path/query/fragment content that nodemailer would treat as sendmail options (fix commit 73a88c82b1b2cada26cc4b2bc095b54554242239, PR https://github.com/hoppscotch/hoppscotch/pull/6413, advisory https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-v7q6-r45w-2c6r). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Hoppscotch deployments running versions prior to 2026.6.0 and audit administrator account assignments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42653 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy