Unrated severityNVD Advisory· Published Sep 24, 2025· Updated Oct 15, 2025

Horilla has Improper Input Sanitization Leading to XSS and Admin Account Takeover

CVE-2025-59525

Description

Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0.

Affected products

Horilla Opensource/Horillav5
Range: < 1.4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Mmo-kali/CVE/blob/main/CVE-2025-59525/2025-08-Horilla_Vulnerability_2.pdfmitrex_refsource_MISC
github.com/horilla-opensource/horilla/releases/tag/1.4.0mitrex_refsource_MISC
github.com/horilla-opensource/horilla/security/advisories/GHSA-rp5m-vpqr-vpvpmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000