CVE-2026-38567

Published: May 11, 2026

Modified: May 12, 2026

PUBLISHED

Description

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username (e.g. admin'--) or extract the full contents of the database including user credentials via UNION-based injection at the /search endpoint.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/StratonWebDesigners/HireFlow

https://www.sourcecodester.com/python/18688/hireflow-%E2%80%93-complete-interview-management-system.html

https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38567

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-38567

Description

Affected Products

References