CVE-2026-38566 - Vulnerability Details

Description

HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms (password change at /profile, candidate deletion at /candidates/delete/<id>, feedback submission at /feedback/add/<id>, interview scheduling at /interviews/add) are vulnerable to CSRF. An attacker who can trick an authenticated user into visiting a malicious page can silently change the victim's password, delete records, or inject arbitrary data on their behalf. The SESSION_COOKIE_SAMESITE attribute is also not configured, removing the browser-level CSRF defense.

Published: 2026-05-11

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists because HireFlow version 1.2 omits CSRF token validation on all state‑changing POST endpoints. The affected endpoints include password change, candidate deletion, feedback submission, and interview scheduling. Without a CSRF token and without the SESSION_COOKIE_SAMESITE attribute, a malicious page can trigger these actions silently when an authenticated user visits it, allowing the attacker to change the victim’s password, delete records, or submit arbitrary data. The weakness leads to loss of confidentiality, integrity, and availability of user data.

Affected Systems

HireFlow v1.2, an interview management system built in Python, is the only affected product. All users logged into this version are vulnerable to the described attacks.

Risk and Exploitability

The EPSS score is < 1%, indicating a low likelihood of exploitation, and it is not listed in CISA’s KEV catalog, indicating it is not currently known to be actively exploited. However, the attack surface is high because it requires only that an authenticated user visit a malicious webpage, which can be achieved through phishing or compromised content. The CVSS score is 8.1, indicating a high severity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Stratonwebdesigners

Hireflow

80%

Version	Status	Scheme	Platform
`[0,1.2]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Implement CSRF token validation on all POST endpoints and validate the token on the server side
Set the SESSION_COOKIE_SAMESITE attribute to "Lax" or "Strict" to enforce browser‑level CSRF protection
Deploy a framework‑level CSRF protection mechanism such as anti‑CSRF libraries or built‑in platform features

Generated by OpenCVE AI on May 12, 2026 at 16:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/StratonWebDesigners/HireFlow
https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38566
https://www.sourcecodester.com/python/18688/hireflow-%E2%80%93-complete-interview-management-system.html

History

Tue, 12 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Title	Missing CSRF Protection Allows Sensitive Data Modification

Tue, 12 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Stratonwebdesigners Stratonwebdesigners hireflow
Vendors & Products		Stratonwebdesigners Stratonwebdesigners hireflow

Mon, 11 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Title		Missing CSRF Protection Allows Sensitive Data Modification
Weaknesses		CWE-352

Mon, 11 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms (password change at /profile, candidate deletion at /candidates/delete/<id>, feedback submission at /feedback/add/<id>, interview scheduling at /interviews/add) are vulnerable to CSRF. An attacker who can trick an authenticated user into visiting a malicious page can silently change the victim's password, delete records, or inject arbitrary data on their behalf. The SESSION_COOKIE_SAMESITE attribute is also not configured, removing the browser-level CSRF defense.
References		https://github.com/StratonWebDesigners/HireFlow https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38566 https://www.sourcecodester.com/python/18688/hireflow-%E2%80%93-complete-interview-management-system.html

Subscriptions

Stratonwebdesigners Hireflow

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-11T00:00:00.000Z

Updated: 2026-05-12T13:43:51.799Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38566

Vulnrichment

Updated: 2026-05-12T13:43:13.743Z

NVD

Status : Deferred

Published: 2026-05-11T18:16:32.730

Modified: 2026-05-12T15:06:07.407

Link: CVE-2026-38566

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T16:15:19Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object