Skip to main content

HireFlow EUVDEUVD-2026-29117

| CVE-2026-38569 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 mitre GHSA-9326-wjh3-92p6
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 11, 2026 - 19:45 vuln.today
CVSS changed
May 11, 2026 - 19:22 NVD
5.4 (MEDIUM)
CVE Published
May 11, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 00:00 nvd
MEDIUM 5.4

DescriptionCVE.org

HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add.

AnalysisAI

HireFlow v1.2 contains reflected cross-site scripting (XSS) vulnerabilities in the candidate detail interface that allow authenticated users to inject malicious scripts via the Resume or Feedback Comment fields when submitting data to POST /candidates/add or POST /feedback/add endpoints. An attacker with user-level access can craft a malicious request containing JavaScript payloads that execute in the browsers of other users viewing the affected pages, potentially compromising session tokens, stealing credentials, or performing actions on behalf of victims. The CVSS score of 5.4 reflects the requirement for user interaction and authenticated access, though the cross-site scope indicates broader application impact beyond the attacker's session.

Technical ContextAI

HireFlow is a Python-based interview management system built on a web framework that fails to properly sanitize or validate user-supplied input in HTML form fields before rendering them in candidate_detail.html. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic XSS flaw where untrusted data from POST parameters is directly embedded into HTML output without encoding or escaping special characters. The Resume and Feedback Comment fields accept arbitrary text input and reflect this content back to users without Content Security Policy (CSP) headers or HTML entity encoding. The vulnerability affects both the POST /candidates/add and POST /feedback/add endpoints, suggesting multiple attack surface areas within the application's form processing logic.

RemediationAI

The primary remediation is to upgrade HireFlow to a patched version if available from the vendor, or apply input validation and output encoding fixes immediately. Specifically, implement HTML entity encoding (using libraries such as html.escape() in Python or equivalent) on all user-supplied input before rendering in candidate_detail.html, particularly the Resume and Feedback Comment fields. In the interim, apply the following compensating controls: (1) Implement a Content Security Policy (CSP) header with script-src restrictions to prevent inline JavaScript execution, which will block most XSS payloads while allowing legitimate functionality; (2) Disable or sanitize the Resume and Feedback Comment fields at the application layer by stripping HTML tags and escaping special characters using a server-side library like bleach or html2text; (3) Restrict access to POST /candidates/add and POST /feedback/add endpoints to authenticated users only (already enforced) and log all submissions for audit; (4) Deploy a Web Application Firewall (WAF) rule to detect common XSS patterns in POST parameters and block suspicious submissions. Users should report this to the HireFlow maintainers via the GitHub repository (StratonWebDesigners/HireFlow) or SourceCodester platform if they discover a patched version. No vendor-released patch version has been independently confirmed from the provided data.

Share

EUVD-2026-29117 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy