CVE-2026-1161
Unknown Unknown - Not Provided
Cross-Site Scripting in pbrong hrms UpdateRecruitmentById Function

Publication date: 2026-01-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1161
EUVD
EUVD-2026-3212
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pbrong hrms 1.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1161 is a stored cross-site scripting (XSS) vulnerability in pbrong hrms version 1.0.1, specifically in the UpdateRecruitmentById function of the file /handler/recruitment.go. The vulnerability occurs because the application does not properly sanitize or filter user-supplied input before storing and later displaying it. This allows an attacker to inject malicious JavaScript code that is stored in the system and executed in the browsers of users who view the affected data, potentially leading to unauthorized actions or data manipulation. The attack can be launched remotely and requires some user interaction. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to inject and execute malicious scripts in the context of your web application users. This can lead to data integrity issues, as attackers might manipulate or alter data displayed to users. It may also enable attackers to perform actions on behalf of users, steal session information, or conduct phishing attacks. The vulnerability has a moderate severity score and requires remote access with some user interaction to exploit. [1, 3]

Detection Guidance

Detection of this vulnerability involves identifying if the UpdateRecruitmentById function in pbrong hrms 1.0.1 is vulnerable to stored cross-site scripting (XSS). Since the vulnerability arises from unsanitized user input being stored and later rendered, one approach is to test the recruitment management interface by submitting crafted input containing JavaScript payloads and observing if the payload executes when retrieved. There are no specific commands provided in the resources. However, manual testing or using web vulnerability scanners that detect stored XSS by injecting scripts into input fields and monitoring responses can be used. [3]

Mitigation Strategies

No known countermeasures or mitigations have been identified for this vulnerability. It is suggested to consider replacing the affected product with an alternative. Immediate mitigation steps could include restricting access to the vulnerable function, applying input validation and sanitization if possible, or disabling the affected feature until a patch or fix is available. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1161. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart