This is a fun one :)
[CVE-2026-50160] Hoppscotch: Unauthenticated JWT Secret Overwrite
https://seclists.org/oss-sec/2026/q2/1007"The POST /v1/onboarding/config endpoint allows an unauthenticated attacker to inject arbitrary InfraConfig keys including JWT_SECRET and SESSION_SECRET"