CVE Catalog

CVE-2026-38567

Critical
Published: Translated: NVD NIST

Summary

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization.

Risk Assessment

An unauthenticated attacker can bypass authentication by supplying a crafted username or extract the full contents of the database including user credentials.

Recommendation

It is recommended to implement parameterized SQL queries and review and secure the /login and /search endpoints against potential attacks.

Original NVD description (English source)

HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username (e.g. admin'--) or extract the full contents of the database including user credentials via UNION-based injection at the /search endpoint.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS