CVE-2026-38567 - Vulnerability Details

Description

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username (e.g. admin'--) or extract the full contents of the database including user credentials via UNION-based injection at the /search endpoint.

Published: 2026-05-11

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a classic SQL injection in HireFlow's /login and /search endpoints, where user input is concatenated into SQL statements without escaping or parameterization. An attacker can supply a forged username such as admin'-- to bypass authentication, or use a UNION‑based payload on the /search endpoint to retrieve the entire database, including stored user credentials. This flaw permits unauthenticated attackers to gain privileged access or exfiltrate sensitive data, directly compromising confidentiality and integrity of user information.

Affected Systems

The flaw is limited to the open‑source HireFlow interview management system, specifically version 1.2, as indicated by the source‑code reference links. No other vendor or product list is included in the CNA data, so the scope is confined to deployments of this exact version.

Risk and Exploitability

The CVSS score is 9.8, with an EPSS score of < 1%, and it is not listed in the CISA KEV catalog. Nevertheless, because the attack vector involves unauthenticated input acceptance and the potential to retrieve all database rows, the risk is high. An attacker can exploit the flaw with a simple crafted HTTP request; no special infrastructure or credentials are required, making exploitation feasible and likely if the system is publicly reachable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Stratonwebdesigners

Hireflow

80%

Version	Status	Scheme	Platform
`1.2`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest HireFlow release that contains the SQL injection fix
Refactor the /login and /search code to use parameterized queries or prepared statements to eliminate direct string concatenation
Validate and sanitize all user‑supplied data, and enforce least‑privilege database access
Restrict direct access to the /search endpoint from untrusted networks via firewall rules or IP whitelisting

Generated by OpenCVE AI on May 12, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00104.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/StratonWebDesigners/HireFlow
https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38567
https://www.sourcecodester.com/python/18688/hireflow-%E2%80%93-complete-interview-management-system.html

History

Tue, 12 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Title	SQL Injection in HireFlow v1.2 Enables unauthenticated access and credential theft

Tue, 12 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Stratonwebdesigners Stratonwebdesigners hireflow
Vendors & Products		Stratonwebdesigners Stratonwebdesigners hireflow

Mon, 11 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Title		SQL Injection in HireFlow v1.2 Enables unauthenticated access and credential theft
Weaknesses		CWE-89

Mon, 11 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username (e.g. admin'--) or extract the full contents of the database including user credentials via UNION-based injection at the /search endpoint.
References		https://github.com/StratonWebDesigners/HireFlow https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38567 https://www.sourcecodester.com/python/18688/hireflow-%E2%80%93-complete-interview-management-system.html

Subscriptions

Stratonwebdesigners Hireflow

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-11T00:00:00.000Z

Updated: 2026-05-12T13:41:28.200Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38567

Vulnrichment

Updated: 2026-05-12T13:40:50.310Z

NVD

Status : Deferred

Published: 2026-05-11T18:16:32.857

Modified: 2026-05-12T15:06:07.407

Link: CVE-2026-38567

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T15:45:06Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object