Executive Summary

CVE-2026-34848 is a stored cross-site scripting (XSS) vulnerability in the Hoppscotch web frontend, specifically in the team member overflow tooltip within shared workspaces.

The vulnerability occurs because the tooltip component renders user-controlled display names as HTML using tippy.js with the option allowHTML: true. An authenticated workspace member can set their display name to include malicious HTML with inline JavaScript.

When other members hover over or click the member stack tooltip (visible when a workspace has four or more members), the injected script executes in their browsers.

This allows arbitrary script execution scoped to shared workspaces, potentially enabling session hijacking, DOM manipulation, or disruption of workspace usability.

The vulnerability requires low privileges (authenticated workspace membership) and low attack complexity but does require user interaction to trigger the tooltip.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker who is an authenticated member of a shared workspace to execute arbitrary scripts in your browser when you interact with the team member tooltip.

Potential impacts include session hijacking, manipulation of the webpage's Document Object Model (DOM), and disruption of the usability of the workspace.

The confidentiality and integrity impacts are considered low, and there is no impact on availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is a stored cross-site scripting (XSS) issue in the Hoppscotch web frontend, specifically in the team member overflow tooltip that renders user display names as HTML. Detection involves identifying if your Hoppscotch instance is running a vulnerable version (2026.2.1 up to but not including 2026.3.0) and if authenticated workspace members have set display names containing malicious HTML or JavaScript.

Since the vulnerability requires user interaction with the tooltip, network detection might be limited. However, you can check the version of Hoppscotch deployed and inspect workspace member display names for suspicious HTML or script tags.

Suggested commands or steps include:

• Verify Hoppscotch version by checking the application metadata or running a command like `hoppscotch --version` if available.
• Audit workspace member display names for HTML or JavaScript content by querying the database or using API calls to list members and inspecting their display names.
• Use web application security scanners or manual testing to hover over or trigger the team member overflow tooltip in shared workspaces with four or more members to observe if script execution occurs.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Hoppscotch to version 2026.3.0 or later, where the vulnerability has been patched by treating display names as plain text instead of HTML, preventing script injection.

Additional immediate steps include:

• Restrict or review workspace member permissions to limit who can change display names.
• Temporarily disable or avoid using the team member overflow tooltip feature in shared workspaces if possible.
• Educate workspace members about the risk of setting malicious display names and encourage reporting suspicious behavior.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of the stored XSS vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0