CVE-2026-34932 HIGH

CVE-2026-34932: hoppscotch: Stored XSS via mock server responses on backend origin

Vendor Hoppscotch

Product hoppscotch

Weakness CWE-79 · XSS

Published April 2, 2026

Last update April 6, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0.

Key dates

02Disclosure timeline

April 2, 2026 CVE published

April 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34932

Related vulnerabilities

04Related CVE

CVE-2023-5114 idbbee <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2026-24665 Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) via Student Assignment Upload CVE-2026-25487 Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation CVE-2023-41731 WordPress wordpress publish post email notification Plugin <= 1.0.2.2 is vulnerable to Cross Site Scripting (XSS) CVE-2023-28750 WordPress Albo Pretorio Online Plugin <= 4.6 is vulnerable to Cross Site Scripting (XSS)