A stored cross‑site scripting flaw exists in pbrong hrms version 1.0.1 within the UpdateRecruitmentById handler. The flaw permits an attacker to inject arbitrary script code that will be rendered when the recruitment entry is viewed. This weakness can lead to session hijacking, theft of sensitive data, or defacement, and is a classic example of CWE‑79. The defect is triggered by normal input handling on the recruitment endpoint, providing an attacker with a straightforward path to execute malicious scripts in the context of victims who access the vulnerable page.

The affected vendor is pbrong and the product is hrms, with the vulnerable release identified as 1.0.1. No other versions are listed in the CNA data. Users running this specific release are exposed to the risk.

The CVSS score of 5.1 indicates moderate severity, and the EPSS score of less than 1% suggests that exploitation is not yet widespread. The vulnerability is publicly known and can be triggered remotely by supplying crafted input to the UpdateRecruitmentById endpoint. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog, but the public exploit indicates that attackers are aware of and able to leverage the flaw. In practice, an attacker who successfully delivers malicious scripts can compromise user sessions, capture credentials, or modify content presented to other users. The attack vector is remote, over the public network, and does not require privileged access to the server.