Unrated severityOSV Advisory· Published Jan 22, 2026· Updated Jan 22, 2026
Horilla has Improper Access Control Issue that Allows Unauthorized Document Upload on Behalf of Another Employee
CVE-2026-24035
Description
Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
21.4.0+ 1 more
- (no CPE)range: 1.4.0
- (no CPE)range: >=1.4.0, <1.5.0
Patches
Vulnerability mechanics
References
3- drive.google.com/file/d/1i00-NnipvxH8bGY-SyqEjnDQfxIbVGRR/viewmitrex_refsource_MISC
- github.com/horilla-opensource/horilla/releases/tag/1.5.0mitrex_refsource_MISC
- github.com/horilla-opensource/horilla/security/advisories/GHSA-fm3f-xpgx-8xr3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.