Unrated severityNVD Advisory· Published Sep 24, 2025· Updated Oct 15, 2025
Horilla has Improper Input Sanitization Leading to XSS and Admin Account Takeover
CVE-2025-59525
Description
Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed ), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<1.4.0+ 1 more
- (no CPE)range: <1.4.0
- (no CPE)range: < 1.4.0
Patches
Vulnerability mechanics
References
3- github.com/Mmo-kali/CVE/blob/main/CVE-2025-59525/2025-08-Horilla_Vulnerability_2.pdfmitrex_refsource_MISC
- github.com/horilla-opensource/horilla/releases/tag/1.4.0mitrex_refsource_MISC
- github.com/horilla-opensource/horilla/security/advisories/GHSA-rp5m-vpqr-vpvpmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.