A stored cross‑site scripting flaw exists in hoppscotch. When a team member’s display name is entered or edited, the characters appear in an overflow tooltip without proper escaping. Because the input is not sanitized, an attacker can embed malicious script that will execute in any user’s browser when the tooltip is hovered, potentially allowing data theft or defacement. This weakness matches the injection and rendering vulnerability class identified as CWE‑79.

The vulnerability applies to the hoppscotch application. Every deployment using a build before version 2026.3.0 is vulnerable. The advisory lists hoppscotch as the affected product, and the fix is released in the 2026.3.0 release.

The CVSS score of 5.4 places it in the medium severity range and no EPSS score is provided. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a malicious display name, which likely needs access to create or edit team member information—an operation that may be restricted to authorized users. Based on the description, the likely attack vector is application‑level interaction: an attacker who can influence the display name can inject code, and any user who hovers over the tooltip will execute the payload. The medium score combined with the requirement of user interaction indicates a non‑negligible risk for organizations running unpatched instances.