Description
hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has been patched in version 2026.3.0.
Published: 2026-04-02
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: Open Redirect
Action: Apply Patch
AI Analysis

Impact

A DOM‑based open redirect was discovered on the /enter route of hoppscotch. The page uses the redirect query string value directly to set the location header without validation. An attacker can supply any URL, causing the victim’s browser to navigate to a malicious site. The vulnerability falls under CWE‑601. While it does not grant code execution or direct data exposure, it enables phishing, delivery of malware, and other social engineering attacks. The CVSS score of 4.7 indicates a moderate risk to users.

Affected Systems

The issue affects hoppscotch, the open‑source API development ecosystem. Any release prior to version 2026.3.0 is susceptible. The fix is implemented in version 2026.3.0 and later. Users must verify the exact version of the deployed instance and upgrade accordingly.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.7; the EPSS metric is not available and it is not listed in the CISA KEV catalog. Exploitation requires an attacker to construct a malicious URL to the /enter endpoint, which users may click or be redirected to by another site. Thus the attack vector is mainly web‑based and user‑initiated, with a low likelihood of widespread automated exploitation without social‑engineering cues.

Generated by OpenCVE AI on April 2, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update hoppscotch to version 2026.3.0 or newer.
  • If an upgrade is not immediately feasible, restrict access to the /enter route or implement input validation to block redirection to external sites.
  • Review inbound URLs for redirection parameters and add server‑side whitelist checks if possible.

Generated by OpenCVE AI on April 2, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Hoppscotch
Hoppscotch hoppscotch
Vendors & Products Hoppscotch
Hoppscotch hoppscotch

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, the /enter page contains a DOM-based open redirect vulnerability. The redirect query parameter is directly used to construct a URL and redirect the user without proper validation. This issue has been patched in version 2026.3.0.
Title hoppscotch: Open redirect via `/enter?redirect=`
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N'}

Subscriptions

Hoppscotch Hoppscotch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T19:19:05.703Z

Reserved: 2026-03-30T20:52:53.285Z

Link: CVE-2026-34847

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T20:16:28.520

Modified: 2026-04-02T20:16:28.520

Link: CVE-2026-34847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:20Z

Weaknesses