Home / Vulnerability Intelligence / CVE-2026-38567

CVE-2026-38567 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 12, 2026

HireFlow - SQL Injection

Published: May 11, 2026Updated: May 12, 2026Remote Exploitable

Overview

HireFlow v1.2 contains an SQL injection caused by unsanitized user input concatenated into SQL queries in /login and /search endpoints, letting unauthenticated attackers bypass authentication and extract database contents.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Unauthenticated attackers can bypass authentication and extract full database contents, including user credentials, leading to complete data compromise.

Mitigation

Update to the latest version with proper input sanitization and parameterized queries.

References

https://github.com/StratonWebDesigners/HireFlow
https://github.com/hijackedamygdala/CVE-Disclosures/tree/main/HireFlow/CVE-2026-38567
https://www.sourcecodester.com/python/18688/hireflow-%E2%80%93-complete-interview-management-system.html

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-38567
Severity: Critical
CVSS Score: 9.8
Type: sql_injection
Status: rejected

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H