Unrated severityOSV Advisory· Published Jan 22, 2026· Updated Jan 22, 2026

Horilla has Improper Access Control Issue that Allows Unauthorized Document Upload on Behalf of Another Employee

CVE-2026-24035

Description

Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue.

Affected products

Horilla Opensource/HorillaOSV
Range: 1.4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

drive.google.com/file/d/1i00-NnipvxH8bGY-SyqEjnDQfxIbVGRR/viewmitrex_refsource_MISC
github.com/horilla-opensource/horilla/releases/tag/1.5.0mitrex_refsource_MISC
github.com/horilla-opensource/horilla/security/advisories/GHSA-fm3f-xpgx-8xr3mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000