A stored cross‑site scripting flaw is present in the mock server functionality of the hoppscotch API development ecosystem. The flaw allows an attacker to embed malicious script into a mock server response that is served from the backend origin. When a user loads the affected response, the injected script runs in the user’s browser with the user’s credentials, enabling unauthorized manipulation of the page and execution of additional actions such as submitting forms or accessing session data. Due to the script’s ability to perform actions on behalf of the user, it can also facilitate cross‑site request forgery attacks, further compromising the integrity and confidentiality of the user’s data.

The vulnerability affects any deployment of hoppscotch that utilizes the mock server feature, specifically versions released before 2026.3.0. All users of the hoppscotch ecosystem running an earlier release are subject to the stored XSS risk. The remediation is provided in the 2026.3.0 release, which removes the exploitable code path.

With a CVSS score of 8.5 the flaw is considered high severity. Although an EPSS score is not available and it is not listed in the CISA KEV catalog, the nature of stored XSS means that an attacker can embed payloads that survive until a user interacts with the mock response. Successful exploitation requires the victim to view a crafted response, which makes the attack public‑web friendly in environments where the mock server is exposed to external users. Organizations should treat this as a high‑risk vulnerability and apply the patch promptly to eliminate the possibility of script injection and the secondary risk of CSRF.