PT-2026-39654 · Hireflow · Hireflow
Yohaan Guzdar
·
Published
2026-05-11
·
Updated
2026-05-27
·
CVE-2026-38566
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
HireFlow version 1.2
Description
The software fails to implement Cross-Site Request Forgery (CSRF) token validation on state-changing POST endpoints. This allows an attacker to trick an authenticated user into visiting a malicious page to perform unauthorized actions, such as changing passwords, deleting records, or injecting arbitrary data. The
SESSION COOKIE SAMESITE attribute is also not configured, which removes browser-level defenses against CSRF. Affected endpoints include:- '/profile' (password change)
- '/candidates/delete/' (candidate deletion)
- '/feedback/add/' (feedback submission)
- '/interviews/add' (interview scheduling)
Recommendations
Implement CSRF token validation for all state-changing POST endpoints.
Configure the
SESSION COOKIE SAMESITE attribute to enable browser-level CSRF protection.Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hireflow