CVE-2026-34847 Scanner

The Hoppscotch tool is widely used by developers to quickly test and interact with APIs. It offers a collaborative environment for testing API endpoints, supporting a variety of protocols and methods, mainly for web developers and teams working on web services. With Hoppscotch, users can save requests, share them with others, and document the API testing process efficiently, making it a valuable resource for both large and small development teams working with RESTful APIs.

The vulnerability detected in Hoppscotch <= 2026.2.1 is a DOM-based open redirect flaw. This type of vulnerability may allow attackers to redirect users to malicious websites by manipulating the address bar in a manner that initially displays the legitimate domain. Such vulnerabilities can lead to credential theft, phishing, and interception of sensitive information such as OAuth tokens by tricking users into believing they are interacting with a trusted source.

Technically, the vulnerability occurs due to inadequate validation of the redirect URL parameter, which is passed to `window.location.href` without checking its origin. Attackers can exploit this by crafting a URL with a malicious redirect parameter like `/enter?redirect=evil.com&foo=bar`, causing users to be redirected to attacker-controlled sites. Successful exploitation depends on users clicking on malicious links.

Exploiting this vulnerability can result in significant risks, such as phishing attacks, credential theft, and man-in-the-middle scenarios. Users might unknowingly enter sensitive information into a fraudulent site, believing they are on a legitimate one. Additionally, it could lead to the unauthorized capture of OAuth tokens, compromising further user accounts or data through obtained tokens.

REFERENCES

• https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-27pm-c9ch-746q
• https://nvd.nist.gov/vuln/detail/CVE-2026-34847