Description
In the smartLibrary component of the HRForecast Suite 0.4.3, a SQL injection vulnerability was discovered in the valueKey parameter. This flaw enables any authenticated user to execute arbitrary SQL queries, via crafted payloads to valueKey to the api/smartlibrary/v2/en/dictionaries/options/lookup endpoint.
References (3)
Core 3
Core References
Third Party Advisory
https://github.com/MVRC-ITSEC/CVEs/blob/main/CVE-2025-51506
Product
https://hrforecast.com/
Scores
CVSS v3
6.5
EPSS
0.0003
EPSS Percentile
8.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
talentneuron/hrforecast_suite
0.4.3
Published
Aug 19, 2025
Tracked Since
Feb 18, 2026