CVE-2026-38566 — HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms (password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /f — CVE Database · The Intelligence Room