CVE-2026-38567

Name of the Vulnerable Software and Affected Versions HireFlow version 1.2

Description SQL injection occurs because user-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker can bypass authentication or extract the full contents of the database, including user credentials, via UNION-based injection. The affected endpoints are "/login" and "/search".

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.