Back to overview

CVE-2026-59721

HIGH Exploitation: PoC
7.2
CVSS 3.1
Description
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILER_SMTP_URL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into sendmail transport options, allowing an admin to execute arbitrary commands as root in the backend container after restart and mail sending. This issue is fixed in version 2026.6.0.

Metadata

CVE ID
CVE-2026-59721
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-06 15:34 UTC
Published
2026-07-09 17:24 UTC
Last updated
2026-07-09 19:13 UTC
Primary CWE
CWE-77
CWE-77: Improper Neutralization of Special Elements used in …
Vendor / Product
hoppscotch / hoppscotch
Sources
cve.org  ·  NVD

Severity & Metrics

7.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
hoppscotch hoppscotch < 2026.6.0
Weakness (CWE)
CWESourceDescription
CWE-77 cna CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78 cna CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-915 cna CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References (4)
Back to overview