id: CVE-2026-34847

info:
  name: Hoppscotch <= 2026.2.1 - Open Redirect
  author: ritikchaddha
  severity: medium
  description: |
    Hoppscotch <= 2026.2.1 is vulnerable to a DOM-based open redirect on the /enter page. The redirect query parameter is passed directly to windowz location.href with no origin validation. Requires one additional query parameter to trigger. Exploited via a crafted URL such as /enter?redirect=evil.com&foo=bar.
  impact: |
    Phishing, credential theft, and OAuth token interception. Victims who click a crafted link see the legitimate Hoppscotch domain in the address bar before being silently redirected to an attacker-controlled site.
  remediation: |
    Upgrade to Hoppscotch 2026.3.0 or later. The fix validates that the redirect URL is same-origin before performing the navigation.
  reference:
    - https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-27pm-c9ch-746q
    - https://nvd.nist.gov/vuln/detail/CVE-2026-34847
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
    cvss-score: 4.7
    cve-id: CVE-2026-34847
    epss-score: 0.00382
    epss-percentile: 0.59873
    cwe-id: CWE-601
  metadata:
    verified: true
    max-request: 1
    vendor: hoppscotch
    product: hoppscotch
    shodan-query: http.title:"Hoppscotch"
    fofa-query: title="Hoppscotch"
  tags: cve,cve2026,hoppscotch,redirect

http:
  - method: GET
    path:
      - "{{BaseURL}}/enter?redirect=oast.me&foo=bar"

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)(?:[a-zA-Z0-9\-_\.@]*)oast\.me\/?(\/|[^.].*)?$'
# digest: 4a0a00473045022100b37d2ab7b9171d630de41703441bf1ac0adfe2440b9ba263dade30811ddd7f4402206c628522220a6da551322b71068a0d96fe61dd6fb9dbdd7b7270561da45a05c9:922c64590222798bb761d5b6d8e72950