VYPR
Vendor

HireFlow

Products
1
CVEs
4
Across products
4
Status
Private

Products

1

Recent CVEs

4
  • CVE-2026-38567CriMay 11, 2026
    risk 0.64cvss 9.8epss 0.01

    HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username (e.g. admin'--) or…

  • CVE-2026-38568HigMay 11, 2026
    risk 0.53cvss 8.1epss 0.00

    HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is…

  • CVE-2026-38566HigMay 11, 2026
    risk 0.53cvss 8.1epss 0.00

    HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms (password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add) are vulnerable…

  • CVE-2026-38569MedMay 11, 2026
    risk 0.35cvss 5.4epss 0.00

    HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add.