Remote Command Execution Vulnerability in Hoppscotch Open Source API Development Tool
CVE-2026-59721
7.2HIGH
What is CVE-2026-59721?
Hoppscotch, an open source API development ecosystem, has a vulnerability due to improper validation in the updateInfraConfigs GraphQL mutation. This flaw allows an attacker to provide a malicious MAILER_SMTP_URL, which is subsequently mishandled by the validateSMTPUrl function. This oversight permits arbitrary command execution as root in the backend container, particularly during mail sending and container restart processes. The issue was rectified in version 2026.6.0, providing essential updates for users to secure their setups.
Affected Version(s)
hoppscotch < 2026.6.0
