Tracemint

**Name of the Vulnerable Software and Affected Versions** Twenty versions prior to 1.18 **Description** Twenty is an open source CRM. The software’s SSRF protection within the SecureHttpClientService did not fully validate request URLs, specifically failing to validate redirect targets. An authenticated user capable of controlling outbound request URLs, such as those used in webhooks or image URLs, could circumvent private IP blocking by redirecting requests through a server controlled by an attacker. **Recommendations** Update to version 1.18 or later.

**Name of the Vulnerable Software and Affected Versions** hoppscotch versions prior to 2026.2.0 **Description** hoppscotch is an API development ecosystem. Prior to version 2026.2.0, any logged-in user could read, modify, or delete another user's personal environment by ID. The issue arises from missing authorization checks in the `user-environments.resolver.ts` file, specifically within the `updateUserEnvironment` mutation, which lacks the `@GqlUser()` decorator. This results in the service receiving only the environment ID and performing a `prisma.userEnvironment.update({ where: { id } })` without any ownership filter. The `deleteUserEnvironment` function also has insufficient checks, only verifying if the target is a global environment. Hoppscotch environments store API keys, auth tokens, and secrets used in API requests. An attacker could obtain another user's environment ID and potentially read, replace, or delete sensitive information. The environment ID format is CUID. **Recommendations** Update hoppscotch to version 2026.2.0 or later.