PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59721 hoppscotch CVE debrief

The CVE-2026-59721 record was published on 2026-07-09T18:16:57.200Z. Hoppscotch, an open source API development ecosystem, has a vulnerability in its updateInfraConfigs GraphQL mutation that allows an attacker to execute arbitrary commands as root in the backend container. This issue is fixed in version 2026.6.0. The NVD entry for this CVE is currently Deferred.

Vendor
hoppscotch
Product
Unknown
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Administrators and users of Hoppscotch API development ecosystem should be aware of this vulnerability and take necessary actions to mitigate it. Specifically, those responsible for managing and securing the ecosystem, including operators, platform administrators, vulnerability management teams, and security teams, should review and act on the recommended actions.

Technical summary

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILER_SMTP_URL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into sendmail transport options, allowing an admin to execute arbitrary commands as root in the backend container after restart and mail sending. The vulnerability is fixed in version 2026.6.0, which properly validates and sanitizes MAILER_SMTP_URL values.

Defensive priority

High

Recommended defensive actions

  • Update Hoppscotch to version 2026.6.0 or later
  • Review and restrict access to the updateInfraConfigs GraphQL mutation
  • Validate and sanitize MAILER_SMTP_URL values
  • Monitor for suspicious activity in the backend container
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-09T18:16:57.200Z and has not been modified since then. The NVD entry is currently Deferred. The vulnerability is fixed in version 2026.6.0. Evidence from the CVE record and NVD detail indicate that Hoppscotch API development ecosystem is vulnerable to arbitrary command execution as root in the backend container after restart and mail sending due to improper validation of MAILER_SMTP_URL in the updateInfraConfigs GraphQL mutation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T18:16:57.200Z and has not been modified since then. The NVD entry is currently Deferred.