Hoppscotch, the open source API development platform, patched two high-severity vulnerabilities in version 2026.3.0. CVE-2026-34931 is an improper loopback redirect_uri validation flaw in the device-login flow that creates an open redirect condition, allowing token exfiltration and potentially letting an attacker sign in as a victim and take over the victim’s account. The issue is classified as CWE-601 and is remotely exploitable with low attack complexity and no privileges required.
The same release also fixed CVE-2026-34932, a stored cross-site scripting vulnerability in mock server responses on the backend origin. The flaw, classified as CWE-79, can be used to trigger cross-site request forgery and requires user interaction, but is likewise network exploitable with low attack complexity and no prior privileges. Both issues affect Hoppscotch versions prior to 2026.3.0, making upgrade to the patched release the key remediation step.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Aikido disclosed a third vulnerability in Hoppscotch affecting versions through 2026.2.1: a broken access control issue that let a user move a request into another team’s collection by setting nextRequestID to null, potentially enabling credential or API key theft if executed by the victim team. The article said this issue was patched in version 2026.3.0 but was accidentally grouped with the XSS report, leaving two advisories to cover three distinct flaws.
GitHub security advisories received records for CVE-2026-34931 and CVE-2026-34932 on April 2, 2026. The disclosures documented the Hoppscotch vulnerabilities as CWE-601 and CWE-79 issues, respectively, with published CVSS v4.0 vectors.
Hoppscotch fixed two security flaws in release 2026.3.0: CVE-2026-34931, an improper loopback redirect_uri validation issue in the device-login flow that could enable token exfiltration and account takeover, and CVE-2026-34932, a stored XSS issue via mock server responses on the backend origin that could lead to CSRF. Both issues affected versions prior to 2026.3.0.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
aikido.dev
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.