Home
Description
HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication by supplying a crafted username (e.g. admin'--) or extract the full contents of the database including user credentials via UNION-based injection at the /search endpoint.
References
github.com/StratonWebDesigners/HireFlow
www.sourcecodester.com/...e-interview-management-system.html
github.com/...-Disclosures/tree/main/HireFlow/CVE-2026-38567