7.2 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): High (H)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): High (H)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
Hoppscotch: Admin RCE via MAILER_SMTP_URL nodemailer sendmail-transport injection
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILER_SMTP_URL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into sendmail transport options, allowing an admin to execute arbitrary commands as root in the backend container after restart and mail sending. This issue is fixed in version 2026.6.0.
References
-
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-v7q6-r45w-2c6r exploitx_refsource_CONFIRM
-
https://github.com/hoppscotch/hoppscotch/pull/6413 x_refsource_MISC
-
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.6.0 x_refsource_MISC
Affected products
- ==< 2026.6.0
Package maintainers
-
@DataHearth DataHearth <dev@antoine-langlois.net>
7.5 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
Hoppscotch: Insecure Default Configuration Allows Public Exposure of Private Collection Data via Mock Server
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without authentication and potentially expose sensitive API data. This issue is fixed in version 2026.6.0.
References
-
https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-c68f-wr5p-j6jf exploitx_refsource_CONFIRM
-
https://github.com/hoppscotch/hoppscotch/pull/6410 x_refsource_MISC
-
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.6.0 x_refsource_MISC
Affected products
- ==< 2026.6.0
Package maintainers
-
@DataHearth DataHearth <dev@antoine-langlois.net>