{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1161", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-18T20:32:51.738Z", "datePublished": "2026-01-19T16:02:07.455Z", "dateUpdated": "2026-02-23T08:47:27.833Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:47:27.833Z"}, "title": "pbrong hrms recruitment.go UpdateRecruitmentById cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "pbrong", "product": "hrms", "versions": [{"version": "1.0.1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-01-18T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-18T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-20T09:28:50.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Guozhao Liao (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.341755", "name": "VDB-341755 | pbrong hrms recruitment.go UpdateRecruitmentById cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.341755", "name": "VDB-341755 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.736510", "name": "Submit #736510 | Pbrong hrms 1.0.1 Stored Cross Site Scripting Vulnerability", "tags": ["third-party-advisory"]}, {"url": "https://github.com/TheLiao233/cve/issues/1", "tags": ["exploit", "issue-tracking"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T21:33:34.527780Z", "id": "CVE-2026-1161", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T21:33:40.542Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1161", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T21:33:34.527780Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T21:33:37.883Z"}}], "cna": {"title": "pbrong hrms recruitment.go UpdateRecruitmentById cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "Guozhao Liao (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "pbrong", "product": "hrms", "versions": [{"status": "affected", "version": "1.0.1"}]}], "timeline": [{"lang": "en", "time": "2026-01-18T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-18T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-01-20T09:28:50.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.341755", "name": "VDB-341755 | pbrong hrms recruitment.go UpdateRecruitmentById cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.341755", "name": "VDB-341755 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.736510", "name": "Submit #736510 | Pbrong hrms 1.0.1 Stored Cross Site Scripting Vulnerability", "tags": ["third-party-advisory"]}, {"url": "https://github.com/TheLiao233/cve/issues/1", "tags": ["exploit", "issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:47:27.833Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1161", "state": "PUBLISHED", "dateUpdated": "2026-02-23T08:47:27.833Z", "dateReserved": "2026-01-18T20:32:51.738Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-19T16:02:07.455Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en pbrong hrms 1.0.1. El elemento afectado es la funci\u00f3n UpdateRecruitmentById del archivo /handler/recruitment.go. La manipulaci\u00f3n resulta en cross site scripting. El ataque puede ser lanzado remotamente. El exploit es ahora p\u00fablico y puede ser usado."}], "id": "CVE-2026-1161", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-19T16:15:54.133", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/TheLiao233/cve/issues/1"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.341755"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.341755"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.736510"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:53:38.373691+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest pbrong hrms release that removes the vulnerable UpdateRecruitmentById function.", "If an upgrade cannot be performed immediately, sanitize or escape all recruitment field data on the server side before it is stored or displayed, ensuring scripts cannot execute.", "Deploy a Content Security Policy that restricts script sources, limiting the risk of stored XSS execution."], "summary": {"action": "Apply Patch", "impact": "Remote Cross\u2011Site Scripting via UpdateRecruitmentById"}, "threat_synthesis": {"affected_systems": "The affected vendor is pbrong and the product is hrms, with the vulnerable release identified as 1.0.1. No other versions are listed in the CNA data. Users running this specific release are exposed to the risk.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in pbrong hrms version 1.0.1 within the UpdateRecruitmentById handler. The flaw permits an attacker to inject arbitrary script code that will be rendered when the recruitment entry is viewed. This weakness can lead to session hijacking, theft of sensitive data, or defacement, and is a classic example of CWE\u201179. The defect is triggered by normal input handling on the recruitment endpoint, providing an attacker with a straightforward path to execute malicious scripts in the context of victims who access the vulnerable page.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity, and the EPSS score of less than 1% suggests that exploitation is not yet widespread. The vulnerability is publicly known and can be triggered remotely by supplying crafted input to the UpdateRecruitmentById endpoint. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog, but the public exploit indicates that attackers are aware of and able to leverage the flaw. In practice, an attacker who successfully delivers malicious scripts can compromise user sessions, capture credentials, or modify content presented to other users. The attack vector is remote, over the public network, and does not require privileged access to the server."}}}}, "created": "2026-01-20T08:40:59.482303+00:00", "updated": "2026-04-18T16:00:04.288178+00:00", "vendors": ["pbrong", "pbrong$PRODUCT$hrms"]}