CVE-2026-38568

Vulnerability summary (CVE-2026-38568): HireFlow v1.2 is affected by Incorrect Access Control due to missing object-level authorization on the /candidate/ and /interview/ endpoints. The application retrieves records by user-supplied IDs without verifying owner or authorization, enabling any authe...

HireFlow 安全漏洞

HireFlow is an online interview management platform developed by StratonWebDesigners as a personal developer project. Version 1.2 of HireFlow contains a security vulnerability. This vulnerability stems from the lack of object-level authorization for the /candidate/ and /interview/ endpoints. As a...

CVE-2026-38566

CVE-2026-38566 affects HireFlow v1.2. The issue is CSRF on all state-changing POST endpoints (e.g., /profile password change, /candidates/delete/, /feedback/add/, /interviews/add) due to missing CSRF token validation and no SESSION_COOKIE_SAMESITE configuration. Root cause: CSRF token validation ...

CVE-2026-38568

HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authoriz...

CVE-2022-38576

Interview Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /interview/delete.php?action=deletecand=...

PT-2024-25625 · Unknown · School Management System

Name of the Vulnerable Software and Affected Versions: School Event Management System version 1.0 Description: The issue is related to a Cross-Site Scripting XSS vulnerability. An attacker could create a specially crafted URL and send it to a victim to obtain their session details via the view...

CVE-2022-38576

Interview Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /interview/delete.php?action=deletecand&id=...