Unrated severityOSV Advisory· Published Jan 22, 2026· Updated Jan 22, 2026
Horilla Exposes Unpublished Job Disclosures through Unauthenticated API
CVE-2026-24036
Description
Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
21.4.0+ 1 more
- (no CPE)range: 1.4.0
- (no CPE)range: >=1.4.0, <1.5.0
Patches
Vulnerability mechanics
References
3- github.com/horilla-opensource/horilla/commit/9a585a1588431499092a49d7e82cb77daa4d99eemitrex_refsource_MISC
- github.com/horilla-opensource/horilla/releases/tag/1.5.0mitrex_refsource_MISC
- github.com/horilla-opensource/horilla/security/advisories/GHSA-q4xr-w96p-3vg7mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.