Remote Command Execution Vulnerability in Hoppscotch Open Source API Development Tool
CVE-2026-59721

7.2HIGH

Key Information:

Vendor

Hoppscotch

Vendor
CVE Published:
9 July 2026

What is CVE-2026-59721?

Hoppscotch, an open source API development ecosystem, has a vulnerability due to improper validation in the updateInfraConfigs GraphQL mutation. This flaw allows an attacker to provide a malicious MAILER_SMTP_URL, which is subsequently mishandled by the validateSMTPUrl function. This oversight permits arbitrary command execution as root in the backend container, particularly during mail sending and container restart processes. The issue was rectified in version 2026.6.0, providing essential updates for users to secure their setups.

Affected Version(s)

hoppscotch < 2026.6.0

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.