CVE-2026-34932
Published: 02 April 2026
Summary
CVE-2026-34932 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Hoppscotch Hoppscotch. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters malicious scripts from information output before rendering to users, directly preventing stored XSS payload execution in Hoppscotch.
Validates and sanitizes inputs at entry points to block injection of XSS payloads that could be stored and later executed.
Mandates timely flaw remediation, such as patching Hoppscotch to version 2026.3.0, to eliminate the specific stored XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing Hoppscotch web app directly enables remote exploitation per T1190; payload execution facilitates stealing web session cookies and API keys per T1539.
NVD Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is a stored XSS vulnerability that can lead to CSRF. This issue has been patched in version 2026.3.0.
Deeper analysisAI
CVE-2026-34932 is a stored cross-site scripting (XSS) vulnerability in Hoppscotch, an open-source API development ecosystem, affecting versions prior to 2026.3.0. Classified under CWE-79, the flaw allows malicious scripts to be stored and executed in the context of other users viewing affected content. It carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and potential for cross-origin impact with high confidentiality and integrity effects.
A remote attacker without authentication can exploit this vulnerability by injecting malicious payloads into Hoppscotch, which are then stored and rendered for other users. Exploitation requires user interaction, such as viewing a tampered API request or response, triggering the stored XSS payload. This can lead to cross-site request forgery (CSRF), enabling the attacker to perform actions on behalf of the victim, such as stealing sensitive data (e.g., API keys or session tokens) or modifying application state.
The vulnerability has been addressed in Hoppscotch version 2026.3.0. Security practitioners should update to this patched release, as detailed in the official GitHub release notes (https://github.com/hoppscotch/hoppscotch/releases/tag/2026.3.0) and the corresponding security advisory (https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-wj4r-hr4h-g98v). No additional mitigations are specified beyond upgrading.
Details
- CWE(s)