Primary

Context

Hoppscotch Stored Cross-Site Scripting Vulnerability in Team Member Tooltip

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Hoppscotch versions prior to 2026.3.0. The issue resides in the team member overflow tooltip within shared workspaces, where user-controlled display names were rendered as HTML. This allowed a workspace member to inject JavaScript that would execute in the browser of other members interacting with the tooltip. The vulnerability affects Hoppscotch Cloud and self-hosted deployments that expose the shared workspace member stack.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts execute in the context of other users' sessions, potentially leading to session hijacking or DOM manipulation.

Remediation

Users can update to Hoppscotch version 2026.3.0 or later, where this vulnerability has been patched.

Added: Apr 2, 2026, 9:53 PM

Updated: Apr 2, 2026, 9:53 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

2.6

remediation

7.7

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

2.6

remediation

7.7

relevance

4.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hoppscotch Stored Cross-Site Scripting Vulnerability in Team Member Tooltip

Vulnerability

Impact

Remediation

Affected Products

hoppscotch

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating