๐Ÿ” CVE Alert

CVE-2026-45336

CRITICAL 10.0

HireFlow: Use of Hard-coded Credentials

CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
0th

HireFlow is a web-based interview management system for managing candidates, scheduling interviews, and tracking hiring progress. In 1.2 and earlier, app.py assigns a hard-coded Flask secret_key used to sign session cookies, allowing unauthenticated attackers who know the public source value to forge cookies containing role=admin and user_id values and bypass authentication. The advisory lists version 1.3 as fixed.

CWE CWE-798
Vendor stratonwebdesigners
Product hireflow
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for stratonwebdesigners hireflow

Be the first to know when new critical vulnerabilities affecting stratonwebdesigners hireflow are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Affected Versions

StratonWebDesigners / HireFlow
< 1.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/StratonWebDesigners/HireFlow/security/advisories/GHSA-x53g-jr84-jrv5 github.com: https://github.com/StratonWebDesigners/HireFlow/releases/tag/v1.3