CVE-2026-38568

Daily digests

HireFlow v1.2 has no object-level authorization on candidate and interview endpoints. Any authenticated user can read every other user's candidate profiles and interview notes just by incrementing the integer ID in the URL. This is a full horizontal privilege escalation: one valid account gives access to the entire dataset.

• Daily Digest · May 12, 2026

  FireFighter Jira bot SSRF scores 9.9, patch now