Nixpkgs security tracker

Permalink CVE-2026-44478

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

created 1 week, 4 days ago Activity log

Created suggestion 1 week, 4 days ago

hoppscotch: Unauthenticated Onboarding Config Disclosure via Empty Recovery Token

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingCompleted and canReRunOnboarding before allowing config overwrites. However, GET /v1/onboarding/config still leaks all infrastructure secrets in plaintext to unauthenticated users when the ONBOARDING_RECOVERY_TOKEN stored in the database is an empty string. This vulnerability is fixed in 2026.4.0.

References

https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7c8p-hj4p-3q3f x_refsource_CONFIRM

Affected products

hoppscotch

==>= 2025.7.0, < 2026.4.0

Matching in nixpkgs

pkgs.hoppscotch

Open source API development ecosystem

nixos-unstable 26.3.1-0
- nixpkgs-unstable 26.4.0-0
- nixos-unstable-small 26.4.0-0
nixos-25.11 25.9.1-0
- nixos-25.11-small 25.9.1-0
- nixpkgs-25.11-darwin 25.9.1-0

Package maintainers

@DataHearth DataHearth <dev@antoine-langlois.net>

Permalink CVE-2026-34931

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

hoppscotch: Improper loopback redirect_uri validation in device-login flow

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0.

References

https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-7fg7-wx5q-6m3v x_refsource_CONFIRM
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0 x_refsource_MISC

Affected products

hoppscotch

==< 2026.3.0

Matching in nixpkgs

pkgs.hoppscotch

Open source API development ecosystem

nixos-unstable 26.2.1-0
- nixpkgs-unstable 26.2.1-0
- nixos-unstable-small 26.2.1-0
nixos-25.11 25.9.1-0
- nixos-25.11-small 25.9.1-0
- nixpkgs-25.11-darwin 25.9.1-0

Package maintainers

@DataHearth DataHearth <dev@antoine-langlois.net>

Permalink CVE-2026-34847

4.7 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

hoppscotch: Open redirect via `/enter?redirect=`

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has been patched in version 2026.3.0.

References

https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-27pm-c9ch-746q x_refsource_CONFIRM
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0 x_refsource_MISC

Affected products

hoppscotch

==< 2026.3.0

Matching in nixpkgs

pkgs.hoppscotch

Open source API development ecosystem

nixos-unstable 26.2.1-0
- nixpkgs-unstable 26.2.1-0
- nixos-unstable-small 26.2.1-0
nixos-25.11 25.9.1-0
- nixos-25.11-small 25.9.1-0
- nixpkgs-25.11-darwin 25.9.1-0

Package maintainers

@DataHearth DataHearth <dev@antoine-langlois.net>

Permalink CVE-2026-34848

5.4 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): Low (L)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

hoppscotch: Stored XSS in team member overflow tooltip via display name

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0.

References

https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-vw93-4m6p-ccm9 x_refsource_CONFIRM
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0 x_refsource_MISC

Affected products

hoppscotch

==< 2026.3.0

Matching in nixpkgs

pkgs.hoppscotch

Open source API development ecosystem

nixos-unstable 26.2.1-0
- nixpkgs-unstable 26.2.1-0
- nixos-unstable-small 26.2.1-0
nixos-25.11 25.9.1-0
- nixos-25.11-small 25.9.1-0
- nixpkgs-25.11-darwin 25.9.1-0

Package maintainers

@DataHearth DataHearth <dev@antoine-langlois.net>

Permalink CVE-2026-34932

created 1 month, 3 weeks ago Activity log

Created suggestion 1 month, 3 weeks ago

hoppscotch: Stored XSS via mock server responses on backend origin

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0.

References

https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-wj4r-hr4h-g98v x_refsource_CONFIRM
https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0 x_refsource_MISC

Affected products

hoppscotch

==< 2026.3.0

Matching in nixpkgs

pkgs.hoppscotch

Open source API development ecosystem

nixos-unstable 26.2.1-0
- nixpkgs-unstable 26.2.1-0
- nixos-unstable-small 26.2.1-0
nixos-25.11 25.9.1-0
- nixos-25.11-small 25.9.1-0
- nixpkgs-25.11-darwin 25.9.1-0

Package maintainers

@DataHearth DataHearth <dev@antoine-langlois.net>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.hoppscotch

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.hoppscotch

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.hoppscotch

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.hoppscotch

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.hoppscotch

Package maintainers