{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-50160/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-07-01T18:46:04.092Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-50160","@id":"https://www.cve.org/CVERecord?id=CVE-2026-50160","description":"Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extra properties on the request body that are not declared in SaveOnboardingConfigRequest are not stripped and are iterated in the service layer as if they were legitimate InfraConfig entries. Because keys s"},"products":[{"@id":"cpe:2.3:a:hoppscotch:hoppscotch:\\<\\=_2026.4.1:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:hoppscotch:hoppscotch:\\<\\=_2026.4.1:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-07-01T18:46:04.092Z"}]}