{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34848", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.285Z", "datePublished": "2026-04-02T19:20:00.944Z", "dateUpdated": "2026-04-03T12:54:39.887Z"}, "containers": {"cna": {"title": "hoppscotch: Stored XSS in team member overflow tooltip via display name", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-vw93-4m6p-ccm9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-vw93-4m6p-ccm9"}, {"name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0"}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"version": "< 2026.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:20:00.944Z"}, "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0."}], "source": {"advisory": "GHSA-vw93-4m6p-ccm9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T12:54:32.780581Z", "id": "CVE-2026-34848", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:54:39.887Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34848", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.285Z", "datePublished": "2026-04-02T19:20:00.944Z", "dateUpdated": "2026-04-03T12:54:39.887Z"}, "containers": {"cna": {"title": "hoppscotch: Stored XSS in team member overflow tooltip via display name", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-vw93-4m6p-ccm9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-vw93-4m6p-ccm9"}, {"name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0"}], "affected": [{"vendor": "hoppscotch", "product": "hoppscotch", "versions": [{"version": "< 2026.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:20:00.944Z"}, "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0."}], "source": {"advisory": "GHSA-vw93-4m6p-ccm9", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34848", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T12:54:32.780581Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:54:36.847Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability in the team member overflow tooltip via display name. This issue has been patched in version 2026.3.0."}], "id": "CVE-2026-34848", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T20:16:28.677", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-vw93-4m6p-ccm9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "hoppscotch", "source": "cna", "vendor": "hoppscotch"}, "product": "hoppscotch", "vendor": "hoppscotch"}], "analysis": {"en": {"generated_at": "2026-04-02T22:48:47.842979+00:00", "value": {"mitigation_remediation": ["Upgrade hoppscotch to version\u202f2026.3.0 or later."], "summary": {"action": "Patch", "impact": "Stored cross\u2011site scripting via tooltip rendering of team member display names"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the hoppscotch application. Every deployment using a build before version\u202f2026.3.0 is vulnerable. The advisory lists hoppscotch as the affected product, and the fix is released in the 2026.3.0 release.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in hoppscotch. When a team member\u2019s display name is entered or edited, the characters appear in an overflow tooltip without proper escaping. Because the input is not sanitized, an attacker can embed malicious script that will execute in any user\u2019s browser when the tooltip is hovered, potentially allowing data theft or defacement. This weakness matches the injection and rendering vulnerability class identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.4 places it in the medium severity range and no EPSS score is provided. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a malicious display name, which likely needs access to create or edit team member information\u2014an operation that may be restricted to authorized users. Based on the description, the likely attack vector is application\u2011level interaction: an attacker who can influence the display name can inject code, and any user who hovers over the tooltip will execute the payload. The medium score combined with the requirement of user interaction indicates a non\u2011negligible risk for organizations running unpatched instances."}}}}, "created": "2026-04-03T07:31:23.434966+00:00", "updated": "2026-04-03T09:16:18.878434+00:00", "vendors": ["hoppscotch", "hoppscotch$PRODUCT$hoppscotch"]}