CVE-2026-45336
HireFlow: Use of Hard-coded Credentials
CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
0th
HireFlow is a web-based interview management system for managing candidates, scheduling interviews, and tracking hiring progress. In 1.2 and earlier, app.py assigns a hard-coded Flask secret_key used to sign session cookies, allowing unauthenticated attackers who know the public source value to forge cookies containing role=admin and user_id values and bypass authentication. The advisory lists version 1.3 as fixed.
| CWE | CWE-798 |
| Vendor | stratonwebdesigners |
| Product | hireflow |
| Published | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for stratonwebdesigners hireflow
Be the first to know when new critical vulnerabilities affecting stratonwebdesigners hireflow are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
Affected Versions
StratonWebDesigners / HireFlow
< 1.3