Description
HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add.
Published: 2026-05-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in HireFlow v1.2 allows injection of arbitrary HTML and JavaScript into the Resume or Feedback Comment fields. When a user submits data via the POST /candidates/add or POST /feedback/add endpoints, the content is stored without sanitization and later displayed in candidate_detail.html, resulting in client‑side script execution. This is a classic stored XSS flaw classified as CWE‑79.

Affected Systems

The affected software is HireFlow version 1.2. No additional vendor or product information is specified beyond the application name and version. The scope is limited to the application; there is no mention of external dependencies or system components.

Risk and Exploitability

The CVSS score of 5.4 denotes moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation. Exploitation requires the ability to send the relevant POST requests, which likely depends on access to the application but is not detailed in the description. The risk is considered moderate pending further information on the attack vector.

Generated by OpenCVE AI on May 11, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of HireFlow if one is released by the maintainers.
  • If no patch exists, implement server‑side input validation by stripping or escaping HTML tags for Resume and Feedback Comment before storage and rendering.
  • Employ a Content Security Policy that blocks inline scripts and restricts allowed script sources, thereby limiting the impact of any residual unsanitized input.

Generated by OpenCVE AI on May 11, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Stratonwebdesigners
Stratonwebdesigners hireflow
Vendors & Products Stratonwebdesigners
Stratonwebdesigners hireflow

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Resume or Feedback Comment Fields in HireFlow v1.2

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Resume or Feedback Comment Fields in HireFlow v1.2
Weaknesses CWE-79

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add.
References

Subscriptions

Stratonwebdesigners Hireflow
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-11T18:20:22.904Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38569

cve-icon Vulnrichment

Updated: 2026-05-11T18:20:16.128Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T18:16:33.087

Modified: 2026-05-12T15:05:31.120

Link: CVE-2026-38569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:27Z

Weaknesses