Description
Johnson & Johnson Campus Recruiting before 2025-10-31 allows viewing of data provided by recruited students, and notes entered about students by interviewers.
Published: 2026-06-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Johnson & Johnson Campus Recruiting web application contains a flaw that permits users to view personal data supplied by prospective recruits and internal notes created by interviewers. The vulnerability results in unauthorized disclosure of sensitive information that could be used for identity fraud, targeted phishing, or other privacy violations. It reflects a lack of proper access-602.

Affected Systems

The affected system is the Johnson & Johnson Campus Recruiting web application, with all releases prior to 2025‑10‑31 vulnerable. No specific sub‑versions are listed, so any deployment of the legacy system before the cutoff date is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the exploit is likely to be straightforward once an authenticated session is established, due to the absence of role checks on sensitive endpoints. The EPSS score is not available listed in the CISA KEV catalog, suggesting it may not yet be widely exploited. Attackers would simply need legitimate access to the system to retrieve data, making prevalence high for internal actors.

Generated by OpenCVE AI on June 26, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of the campus recruiting application released on or after 2025-10-31, which contains the issued fix.
  • Enforce granular role-based access controls to ensure that only authorized recruiters can view personal data and interview notes access to sensitive endpoints.
  • Conduct an audit of user permissions and logs to detect any unintended data exposures, and remediate any misconfigurations that allow data leakage.

Generated by OpenCVE AI on June 26, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Title Data Exposure In Johnson & Johnson Campus Recruiting Web Application

Fri, 26 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Description Johnson & Johnson Campus Recruiting before 2025-10-31 allows viewing of data provided by recruited students, and notes entered about students by interviewers.
Weaknesses CWE-602
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T12:05:07.512Z

Reserved: 2026-06-26T10:04:37.108Z

Link: CVE-2026-57912

cve-icon Vulnrichment

Updated: 2026-06-26T12:05:02.399Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T13:00:14Z

Weaknesses
  • CWE-602

    Client-Side Enforcement of Server-Side Security