CVE-2026-34848 MEDIUM

CVE-2026-34848: hoppscotch: Stored XSS in team member overflow tooltip via display name

Vendor Hoppscotch

Product hoppscotch

Weakness CWE-79 · XSS

Published April 2, 2026

Last update April 3, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0.

Key dates

02Disclosure timeline

April 2, 2026 CVE published

April 3, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34848 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-12203 RSS Icon Widget <= 5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2025-62042 WordPress Event post plugin <= 5.10.3 - Cross Site Scripting (XSS) vulnerability CVE-2026-22867 LaSuite Doc affected by Stored XSS via Interlinking Block CVE-2026-34623 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2025-14118 Starred Review <= 1.4.2 - Reflected Cross-Site Scripting via PHP_SELF Variable