Unrated severityNVD Advisory· Published Sep 24, 2025· Updated Sep 24, 2025
Horilla Stored Cross-Site Scripting (XSS) Vulnerability in Project and Task Modules
CVE-2025-48867
Description
Horilla is a free and open source Human Resource Management System (HRMS). A stored cross-site scripting (XSS) vulnerability in Horilla HRM 1.3.0 allows authenticated admin or privileged users to inject malicious JavaScript payloads into multiple fields in the Project and Task modules. These payloads persist in the database and are executed when viewed by an admin or other privileged users through the web interface. Although the issue is not exploitable by unauthenticated users, it still poses a high risk of session hijacking and unauthorized action within high-privilege accounts. At time of publication there is no known patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.3.0
- Range: = 1.3.0
Patches
Vulnerability mechanics
References
1- github.com/horilla-opensource/horilla/security/advisories/GHSA-w242-xv47-j55rmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.