CVE-2026-38567

Daily digests

HireFlow v1.2 has textbook SQL injection in both its login and search pages. An attacker can bypass authentication entirely with something as simple as `admin'--` in the username field, or dump the whole database (including plaintext or hashed credentials) through UNION injection on the search endpoint. No authentication needed. If this app is internet-facing, assume it's already been found by scanners.

• Patch Tuesday · May 13, 2026

  Patch Tuesday May 2026: DNS + Netlogon at 9.8, 19 more