Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

17 matches found

RedhatCVE
RedhatCVEadded 2026/06/05 7:49 p.m.7 views

CVE-2026-38568

HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authoriz...

8.1CVSS5.5AI score0.00231EPSS
Exploits1References1
EUVD
EUVDadded 2026/05/11 6:31 p.m.6 views

EUVD-2026-29117

HireFlow v1.2 is vulnerable to Cross Site Scripting XSS in candidatedetail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add...

5.4CVSS5.8AI score0.00208EPSS
Exploits1References4
NVD
NVDadded 2026/05/11 6:16 p.m.6 views

CVE-2026-38569

HireFlow v1.2 is vulnerable to Cross Site Scripting XSS in candidatedetail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add...

5.4CVSS0.00208EPSS
Exploits1References3
NVD
NVDadded 2026/05/11 6:16 p.m.11 views

CVE-2026-38566

HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...

8.1CVSS0.00168EPSS
Exploits1References3
NVD
NVDadded 2026/05/11 6:16 p.m.6 views

CVE-2026-38567

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username e.g. admin'-- or extract the full content...

9.8CVSS0.00495EPSS
Exploits1References3
ATTACKERKB
ATTACKERKBadded 2026/05/11 12:0 a.m.9 views

CVE-2026-38568

HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authoriz...

5.8AI score0.00231EPSS
Exploits1References4
Cvelist
Cvelistadded 2026/05/11 12:0 a.m.33 views

CVE-2026-38566

HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...

0.00168EPSS
Exploits1References3
ATTACKERKB
ATTACKERKBadded 2026/05/11 12:0 a.m.4 views

CVE-2026-38569

HireFlow v1.2 is vulnerable to Cross Site Scripting XSS in candidatedetail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add...

5.8AI score0.00208EPSS
Exploits1References4
CVE
CVEadded 2026/05/11 12:0 a.m.10 views

CVE-2026-38568

Vulnerability summary (CVE-2026-38568): HireFlow v1.2 is affected by Incorrect Access Control due to missing object-level authorization on the /candidate/ and /interview/ endpoints. The application retrieves records by user-supplied IDs without verifying owner or authorization, enabling any authe...

8.1CVSS5.8AI score0.00231EPSS
Exploits1References3
Vulnrichment
Vulnrichmentadded 2026/05/11 12:0 a.m.4 views

CVE-2026-38568

HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authoriz...

5.8AI score0.00231EPSS
Exploits1References3
Cvelist
Cvelistadded 2026/05/11 12:0 a.m.30 views

CVE-2026-38569

HireFlow v1.2 is vulnerable to Cross Site Scripting XSS in candidatedetail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add...

0.00208EPSS
Exploits1References3
Vulnrichment
Vulnrichmentadded 2026/05/11 12:0 a.m.4 views

CVE-2026-38569

HireFlow v1.2 is vulnerable to Cross Site Scripting XSS in candidatedetail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add...

5.8AI score0.00208EPSS
Exploits1References3
CVE
CVEadded 2026/05/11 12:0 a.m.10 views

CVE-2026-38567

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User input is concatenated directly into SQL queries without parameterization, enabling an unauthenticated attacker to bypass authentication (e.g., by using a crafted username) or to extract the full contents of the...

9.8CVSS5.9AI score0.00495EPSS
Exploits1References3
CNNVD
CNNVDadded 2026/05/11 12:0 a.m.6 views

HireFlow 跨站脚本漏洞

HireFlow is an online interview management platform developed by StratonWebDesigners as a personal developer project. Version 1.2 of HireFlow contains a cross-site scripting vulnerability. This vulnerability stems from the Resume or Feedback Comment fields in the candidatedetail.html file, where...

5.4CVSS5.6AI score0.00208EPSS
Exploits1References1
CVE
CVEadded 2026/05/11 12:0 a.m.10 views

CVE-2026-38569

CVE-2026-38569 affects HireFlow v1.2. The vulnerability is a Cross Site Scripting (XSS) flaw in candidate_detail.html that can be triggered via the Resume or Feedback Comment fields when submitting through POST /candidates/add or POST /feedback/add. The underlying issue is an XSS in the candidate...

5.4CVSS5.8AI score0.00208EPSS
Exploits1References3
Vulnrichment
Vulnrichmentadded 2026/05/11 12:0 a.m.8 views

CVE-2026-38567

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username e.g. admin'-- or extract the full content...

5.9AI score0.00495EPSS
Exploits1References3
GithubExploit
GithubExploitadded 2026/05/08 3:36 p.m.50 views

CVE-Disclosures

🛡️ CVE Disclosures 🛡️ Welcome to my CVE disclosures repositor...

8.1CVSS5.9AI score0.00495EPSS
Exploits1
Rows per page
Query Builder