Search criteria
8 vulnerabilities by hoppscotch
CVE-2026-28217 (GCVE-0-2026-28217)
Vulnerability from cvelistv5 – Published: 2026-02-26 22:38 – Updated: 2026-02-27 18:42
VLAI?
Title
IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections
Summary
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets — to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hoppscotch | hoppscotch |
Affected:
< 2026.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28217",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:41:50.745815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:42:07.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hoppscotch",
"vendor": "hoppscotch",
"versions": [
{
"status": "affected",
"version": "\u003c 2026.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the `userCollection` GraphQL query accepts an arbitrary collection ID and returns the full collection data \u2014 including title, type, and the serialized `data` field containing HTTP requests with headers and potentially secrets \u2014 to any authenticated user, without verifying that the requesting user owns the collection. This is an Insecure Direct Object Reference (IDOR) caused by a missing authorization check that exists on every other operation in the same resolver. Version 2026.2.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T22:38:33.854Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-m5pg-r4jp-qq75",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-m5pg-r4jp-qq75"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0"
}
],
"source": {
"advisory": "GHSA-m5pg-r4jp-qq75",
"discovery": "UNKNOWN"
},
"title": "IDOR in GraphQL userCollection Query Exposes Other Users\u0027 Private Collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28217",
"datePublished": "2026-02-26T22:38:33.854Z",
"dateReserved": "2026-02-25T15:28:40.649Z",
"dateUpdated": "2026-02-27T18:42:07.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28216 (GCVE-0-2026-28216)
Vulnerability from cvelistv5 – Published: 2026-02-26 22:36 – Updated: 2026-02-27 18:43
VLAI?
Title
hoppscotch has IDOR in updateUserEnvironment / deleteUserEnvironment
Summary
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user's personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user's identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user's environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue.
Severity ?
8.3 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hoppscotch | hoppscotch |
Affected:
< 2026.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28216",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:43:04.669293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:43:16.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hoppscotch",
"vendor": "hoppscotch",
"versions": [
{
"status": "affected",
"version": "\u003c 2026.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, any logged-in user can read, modify or delete another user\u0027s personal environment by ID. `user-environments.resolver.ts:82-109`, `updateUserEnvironment` mutation uses `@UseGuards(GqlAuthGuard)` but is missing the `@GqlUser()` decorator entirely. The user\u0027s identity is never extracted, so the service receives only the environment ID and performs a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. `deleteUserEnvironment` does extract the user but the service only uses the UID to check if the target is a global environment. Actual delete query uses WHERE { id } without AND userUid. hoppscotch environments store API keys, auth tokens and secrets used in API requests. An authenticated attacker who obtains another user\u0027s environment ID can read their secrets, replace them with malicious values or delete them entirely. The environment ID format is CUID, which limits mass exploitation but insider threat and combined info leak scenarios are realistic. Version 2026.2.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T22:36:50.539Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-72rv-vc3j-5vqr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-72rv-vc3j-5vqr"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0"
}
],
"source": {
"advisory": "GHSA-72rv-vc3j-5vqr",
"discovery": "UNKNOWN"
},
"title": "hoppscotch has IDOR in updateUserEnvironment / deleteUserEnvironment"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28216",
"datePublished": "2026-02-26T22:36:50.539Z",
"dateReserved": "2026-02-25T15:28:40.649Z",
"dateUpdated": "2026-02-27T18:43:16.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28215 (GCVE-0-2026-28215)
Vulnerability from cvelistv5 – Published: 2026-02-26 22:34 – Updated: 2026-02-26 22:34
VLAI?
Title
hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover
Summary
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance's Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker's OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue.
Severity ?
9.1 (Critical)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hoppscotch | hoppscotch |
Affected:
< 2026.2.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "hoppscotch",
"vendor": "hoppscotch",
"versions": [
{
"status": "affected",
"version": "\u003c 2026.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, an unauthenticated attacker can overwrite the entire infrastructure configuration of a self-hosted Hoppscotch instance including OAuth provider credentials and SMTP settings by sending a single HTTP POST request with no authentication. The endpoint POST /v1/onboarding/config has no authentication guard and performs no check on whether onboarding was already completed. A successful exploit allows the attacker to replace the instance\u0027s Google/GitHub/Microsoft OAuth application credentials with their own, causing all subsequent user logins via SSO to authenticate against the attacker\u0027s OAuth app. The attacker captures OAuth tokens and email addresses of every user who logs in after the exploit. Additionally, the endpoint returns a recovery token that can be used to read all stored secrets in plaintext, including SMTP passwords and any other configured credentials. Version 2026.2.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T22:34:46.524Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-jwv8-867r-q9fg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-jwv8-867r-q9fg"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hoppscotch/hoppscotch/releases/tag/2026.2.0"
}
],
"source": {
"advisory": "GHSA-jwv8-867r-q9fg",
"discovery": "UNKNOWN"
},
"title": "hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28215",
"datePublished": "2026-02-26T22:34:46.524Z",
"dateReserved": "2026-02-25T15:28:40.649Z",
"dateUpdated": "2026-02-26T22:34:46.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-34714 (GCVE-0-2024-34714)
Vulnerability from cvelistv5 – Published: 2024-05-14 14:48 – Updated: 2024-08-02 02:59
VLAI?
Title
Hoppscotch Extension responds to calls made by origins not in the domain list
Summary
The Hoppscotch Browser Extension is a browser extension for Hoppscotch, a community-driven end-to-end open-source API development ecosystem. Due to an oversight during a change made to the extension in the commit d4e8e4830326f46ba17acd1307977ecd32a85b58, a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn't supposed to happen and be blocked by the origin not being present in the origin list.
This vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. This security hole was patched in the commit 7e364b928ab722dc682d0fcad713a96cc38477d6 which was released along with the extension version `0.35`. As a workaround, Chrome users can use the Extensions Settings to disable the extension access to only the origins that you want. Firefox doesn't have an alternative to upgrading to a fixed version.
Severity ?
7.6 (High)
CWE
- CWE-354 - Improper Validation of Integrity Check Value
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hoppscotch | hoppscotch-extension |
Affected:
>= 0.28, < 0.35
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hoppscotch:hoppscotch_extension:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "hoppscotch_extension",
"vendor": "hoppscotch",
"versions": [
{
"lessThan": "0.28",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-14T16:03:31.682244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:11:08.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:22.606Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v"
},
{
"name": "https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6"
},
{
"name": "https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58"
},
{
"name": "https://server.yadhu.in/poc/hoppscotch-poc.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://server.yadhu.in/poc/hoppscotch-poc.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hoppscotch-extension",
"vendor": "hoppscotch",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.28, \u003c 0.35"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hoppscotch Browser Extension is a browser extension for Hoppscotch, a community-driven end-to-end open-source API development ecosystem. Due to an oversight during a change made to the extension in the commit d4e8e4830326f46ba17acd1307977ecd32a85b58, a critical check for the origin list was missed and allowed for messages to be sent to the extension which the extension gladly processed and responded back with the results of, while this wasn\u0027t supposed to happen and be blocked by the origin not being present in the origin list.\n\nThis vulnerability exposes Hoppscotch Extension users to sites which call into Hoppscotch Extension APIs internally. This fundamentally allows any site running on the browser with the extension installed to bypass CORS restrictions if the user is running extensions with the given version. This security hole was patched in the commit 7e364b928ab722dc682d0fcad713a96cc38477d6 which was released along with the extension version `0.35`. As a workaround, Chrome users can use the Extensions Settings to disable the extension access to only the origins that you want. Firefox doesn\u0027t have an alternative to upgrading to a fixed version."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-354",
"description": "CWE-354: Improper Validation of Integrity Check Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-14T14:48:36.879Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v"
},
{
"name": "https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6"
},
{
"name": "https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58"
},
{
"name": "https://server.yadhu.in/poc/hoppscotch-poc.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://server.yadhu.in/poc/hoppscotch-poc.html"
}
],
"source": {
"advisory": "GHSA-jjh5-pvqx-gg5v",
"discovery": "UNKNOWN"
},
"title": "Hoppscotch Extension responds to calls made by origins not in the domain list"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34714",
"datePublished": "2024-05-14T14:48:36.879Z",
"dateReserved": "2024-05-07T13:53:00.133Z",
"dateUpdated": "2024-08-02T02:59:22.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34347 (GCVE-0-2024-34347)
Vulnerability from cvelistv5 – Published: 2024-05-08 14:16 – Updated: 2025-06-10 15:33
VLAI?
Title
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
Summary
@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0.
Severity ?
8.4 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hoppscotch | hoppscotch |
Affected:
>= 0.5.0, < 0.8.0
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "hoppscotch",
"vendor": "hoppscotch",
"versions": [
{
"lessThan": "0.8.0",
"status": "affected",
"version": "0.5.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34347",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T17:33:34.499969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:41:42.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:51:10.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hoppscotch",
"vendor": "hoppscotch",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.5.0, \u003c 0.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:33:47.072Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01"
},
{
"name": "https://www.sonarsource.com/blog/scripting-outside-the-box-api-client-security-risks-part-2",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/scripting-outside-the-box-api-client-security-risks-part-2"
}
],
"source": {
"advisory": "GHSA-qmmm-73r2-f8xr",
"discovery": "UNKNOWN"
},
"title": "@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34347",
"datePublished": "2024-05-08T14:16:38.206Z",
"dateReserved": "2024-05-02T06:36:32.437Z",
"dateUpdated": "2025-06-10T15:33:47.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27092 (GCVE-0-2024-27092)
Vulnerability from cvelistv5 – Published: 2024-02-26 19:40 – Updated: 2024-08-02 00:27
VLAI?
Title
Content spoofing - real Hoppscotch emails
Summary
Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6.
Severity ?
5.4 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hoppscotch | hoppscotch |
Affected:
< 2023.12.6
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hoppscotch:hoppscotch:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "hoppscotch",
"vendor": "hoppscotch",
"versions": [
{
"lessThan": "2023.12.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27092",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T16:30:40.545128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T16:35:18.750Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:27:57.835Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hoppscotch",
"vendor": "hoppscotch",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.12.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors. This issue is fixed in 2023.12.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-26T19:40:57.427Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-8r6h-8r68-q3pp"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hoppscotch/hoppscotch/commit/6827e97ec583b2534cdc1c2f33fa44973a0c2bf5"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153"
}
],
"source": {
"advisory": "GHSA-8r6h-8r68-q3pp",
"discovery": "UNKNOWN"
},
"title": "Content spoofing - real Hoppscotch emails"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27092",
"datePublished": "2024-02-26T19:40:57.427Z",
"dateReserved": "2024-02-19T14:43:05.993Z",
"dateUpdated": "2024-08-02T00:27:57.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34097 (GCVE-0-2023-34097)
Vulnerability from cvelistv5 – Published: 2023-06-05 20:02 – Updated: 2025-01-08 15:58
VLAI?
Title
Database password exposed in logs in hoppscotch
Summary
hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database password is exposed in the logs when showing the database connection string. Attackers with access to read system logs will be able to elevate privilege with full access to the database. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.8 (High)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hoppscotch | hoppscotch |
Affected:
< 2023.4.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:01:53.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qpx8-wq6q-r833",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qpx8-wq6q-r833"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/commit/15424903ede20b155d764abf4c4f7c2c84c11247",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hoppscotch/hoppscotch/commit/15424903ede20b155d764abf4c4f7c2c84c11247"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34097",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T15:58:08.636655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T15:58:21.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hoppscotch",
"vendor": "hoppscotch",
"versions": [
{
"status": "affected",
"version": "\u003c 2023.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "hoppscotch is an open source API development ecosystem. In versions prior to 2023.4.5 the database password is exposed in the logs when showing the database connection string. Attackers with access to read system logs will be able to elevate privilege with full access to the database. Users are advised to upgrade. There are no known workarounds for this vulnerability. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-05T20:02:04.497Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qpx8-wq6q-r833",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qpx8-wq6q-r833"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/commit/15424903ede20b155d764abf4c4f7c2c84c11247",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hoppscotch/hoppscotch/commit/15424903ede20b155d764abf4c4f7c2c84c11247"
}
],
"source": {
"advisory": "GHSA-qpx8-wq6q-r833",
"discovery": "UNKNOWN"
},
"title": "Database password exposed in logs in hoppscotch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34097",
"datePublished": "2023-06-05T20:02:04.497Z",
"dateReserved": "2023-05-25T21:56:51.245Z",
"dateUpdated": "2025-01-08T15:58:21.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0121 (GCVE-0-2022-0121)
Vulnerability from cvelistv5 – Published: 2022-01-06 02:30 – Updated: 2024-08-02 23:18
VLAI?
Title
Cross-site Scripting in hoppscotch/hoppscotch
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hoppscotch hoppscotch/hoppscotch.This issue affects hoppscotch/hoppscotch before 2.1.1.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hoppscotch | hoppscotch/hoppscotch |
Affected:
unspecified , < 2.1.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.752Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/b70a6191-8226-4ac6-b817-cae7332a68ee"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hoppscotch/hoppscotch/commit/86ef1a4e143ea5bb0c7b309574127cc39d4faa74"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "hoppscotch/hoppscotch",
"vendor": "hoppscotch",
"versions": [
{
"lessThan": "2.1.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in hoppscotch hoppscotch/hoppscotch.\u003cp\u003eThis issue affects hoppscotch/hoppscotch before 2.1.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in hoppscotch hoppscotch/hoppscotch.This issue affects hoppscotch/hoppscotch before 2.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T08:52:46.289Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/b70a6191-8226-4ac6-b817-cae7332a68ee"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hoppscotch/hoppscotch/commit/86ef1a4e143ea5bb0c7b309574127cc39d4faa74"
}
],
"source": {
"advisory": "b70a6191-8226-4ac6-b817-cae7332a68ee",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting in hoppscotch/hoppscotch",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0121",
"STATE": "PUBLIC",
"TITLE": "Exposure of Sensitive Information to an Unauthorized Actor in hoppscotch/hoppscotch"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hoppscotch/hoppscotch",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.1.1"
}
]
}
}
]
},
"vendor_name": "hoppscotch"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "hoppscotch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/b70a6191-8226-4ac6-b817-cae7332a68ee",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/b70a6191-8226-4ac6-b817-cae7332a68ee"
},
{
"name": "https://github.com/hoppscotch/hoppscotch/commit/86ef1a4e143ea5bb0c7b309574127cc39d4faa74",
"refsource": "MISC",
"url": "https://github.com/hoppscotch/hoppscotch/commit/86ef1a4e143ea5bb0c7b309574127cc39d4faa74"
}
]
},
"source": {
"advisory": "b70a6191-8226-4ac6-b817-cae7332a68ee",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0121",
"datePublished": "2022-01-06T02:30:10.000Z",
"dateReserved": "2022-01-05T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:18:41.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}