CVE-2026-1161
Cross-Site Scripting in pbrong hrms UpdateRecruitmentById Function
Publication date: 2026-01-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pbrong | hrms | 1.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1161 is a stored cross-site scripting (XSS) vulnerability in pbrong hrms version 1.0.1, specifically in the UpdateRecruitmentById function of the file /handler/recruitment.go. The vulnerability occurs because the application does not properly sanitize or filter user-supplied input before storing and later displaying it. This allows an attacker to inject malicious JavaScript code that is stored in the system and executed in the browsers of users who view the affected data, potentially leading to unauthorized actions or data manipulation. The attack can be launched remotely and requires some user interaction. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject and execute malicious scripts in the context of your web application users. This can lead to data integrity issues, as attackers might manipulate or alter data displayed to users. It may also enable attackers to perform actions on behalf of users, steal session information, or conduct phishing attacks. The vulnerability has a moderate severity score and requires remote access with some user interaction to exploit. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the UpdateRecruitmentById function in pbrong hrms 1.0.1 is vulnerable to stored cross-site scripting (XSS). Since the vulnerability arises from unsanitized user input being stored and later rendered, one approach is to test the recruitment management interface by submitting crafted input containing JavaScript payloads and observing if the payload executes when retrieved. There are no specific commands provided in the resources. However, manual testing or using web vulnerability scanners that detect stored XSS by injecting scripts into input fields and monitoring responses can be used. [3]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been identified for this vulnerability. It is suggested to consider replacing the affected product with an alternative. Immediate mitigation steps could include restricting access to the vulnerable function, applying input validation and sanitization if possible, or disabling the affected feature until a patch or fix is available. [1]