Unrated severityOSV Advisory· Published Jan 22, 2026· Updated Jan 22, 2026

Horilla Exposes Unpublished Job Disclosures through Unauthenticated API

CVE-2026-24036

Description

Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0.

Affected products

Horilla Opensource/HorillaOSV
Range: 1.4.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/horilla-opensource/horilla/commit/9a585a1588431499092a49d7e82cb77daa4d99eemitrex_refsource_MISC
github.com/horilla-opensource/horilla/releases/tag/1.5.0mitrex_refsource_MISC
github.com/horilla-opensource/horilla/security/advisories/GHSA-q4xr-w96p-3vg7mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000