CVE-2026-1161

Vulnerability

Analysis

CVE-2026-1161 describes a stored cross-site scripting (XSS) vulnerability in pbrong hrms version 1.0.1. The flaw resides in the UpdateRecruitmentById function within the file /handler/recruitment.go. The application fails to sanitize user-supplied input before storing it in the database, allowing an attacker to inject malicious JavaScript code [1].

Exploitation

An attacker can exploit this vulnerability by entering crafted data through the recruitment management interface. The input is passed to UpdateRecruitmentById, which then stores it in the database without adequate filtering. Subsequently, when another endpoint, GetRecruitmentByJobName, retrieves and displays this stored data without sanitization, causing the injected script to execute in the browser of any user viewing the recruitment information [1]. The attack can be performed remotely and does not require elevated privileges, though some authenticated access may be needed to the recruitment feature may be needed.

Impact

Successful exploitation allows an attacker to stored XSS allows an attacker to execute arbitrary JavaScript in the context of a victim's session. This can lead to theft of session cookies, redirection to malicious sites, or defacement of the application. The public availability of exploit details increases the risk of widespread attacks [1].

Mitigation

As of the publication date, the vendor has not released a patched version. It is recommended to apply input validation and output encoding for all user-supplied data, especially in the recruitment update functionality. Until a fix is available, consider disabling the affected functionality or using a Web Application Firewall (WAF) to detect and block XSS payloads [1].