Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add.
AnalysisAI
HireFlow v1.2 contains reflected cross-site scripting (XSS) vulnerabilities in the candidate detail interface that allow authenticated users to inject malicious scripts via the Resume or Feedback Comment fields when submitting data to POST /candidates/add or POST /feedback/add endpoints. An attacker with user-level access can craft a malicious request containing JavaScript payloads that execute in the browsers of other users viewing the affected pages, potentially compromising session tokens, stealing credentials, or performing actions on behalf of victims. The CVSS score of 5.4 reflects the requirement for user interaction and authenticated access, though the cross-site scope indicates broader application impact beyond the attacker's session.
Technical ContextAI
HireFlow is a Python-based interview management system built on a web framework that fails to properly sanitize or validate user-supplied input in HTML form fields before rendering them in candidate_detail.html. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic XSS flaw where untrusted data from POST parameters is directly embedded into HTML output without encoding or escaping special characters. The Resume and Feedback Comment fields accept arbitrary text input and reflect this content back to users without Content Security Policy (CSP) headers or HTML entity encoding. The vulnerability affects both the POST /candidates/add and POST /feedback/add endpoints, suggesting multiple attack surface areas within the application's form processing logic.
RemediationAI
The primary remediation is to upgrade HireFlow to a patched version if available from the vendor, or apply input validation and output encoding fixes immediately. Specifically, implement HTML entity encoding (using libraries such as html.escape() in Python or equivalent) on all user-supplied input before rendering in candidate_detail.html, particularly the Resume and Feedback Comment fields. In the interim, apply the following compensating controls: (1) Implement a Content Security Policy (CSP) header with script-src restrictions to prevent inline JavaScript execution, which will block most XSS payloads while allowing legitimate functionality; (2) Disable or sanitize the Resume and Feedback Comment fields at the application layer by stripping HTML tags and escaping special characters using a server-side library like bleach or html2text; (3) Restrict access to POST /candidates/add and POST /feedback/add endpoints to authenticated users only (already enforced) and log all submissions for audit; (4) Deploy a Web Application Firewall (WAF) rule to detect common XSS patterns in POST parameters and block suspicious submissions. Users should report this to the HireFlow maintainers via the GitHub repository (StratonWebDesigners/HireFlow) or SourceCodester platform if they discover a patched version. No vendor-released patch version has been independently confirmed from the provided data.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29117
GHSA-9326-wjh3-92p6