CVE-2026-38567
Published
CVSS v3
9.8
CRITICAL
CVSS v2
N/A
Affected
2
PROJECTS
Description
HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username (e.g. admin'--) or extract the full contents of the database including user credentials via UNION-based injection at the /search endpoint.
HireFlow is a modern and intuitive web-based Interview Management System designed to streamline the hiring process for recruiters and organizations. It provides a centralized platform to manage candidates, schedule interviews, and track recruitment progress efficiently.
GitHub