Horilla
Source repositories
CVEs (21)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-40866 | Hig | 0.56 | — | 0.00 | Apr 21, 2026 | Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the… | ||
| CVE-2026-40867 | Hig | 0.46 | — | 0.00 | Apr 21, 2026 | Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose… | ||
| CVE-2026-40865 | Hig | 0.46 | — | 0.00 | Apr 21, 2026 | Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This… | ||
| CVE-2026-41513 | Med | 0.24 | — | 0.00 | May 12, 2026 | Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects. | ||
| CVE-2026-3050 | Low | 0.23 | 3.5 | 0.00 | Feb 24, 2026 | A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out… | ||
| CVE-2026-3049 | Med | 0.21 | 4.3 | 0.00 | Feb 24, 2026 | A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horilla_generics/global_search.py of the component Query Parameter Handler. The manipulation of the argument prev_url results in open redirect. The attack can… | ||
| CVE-2025-48868 | 0.03 | — | 0.02 | Sep 24, 2025 | Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) vulnerability exists in Horilla 1.3.0 due to the unsafe use of Python’s eval() function on a user-controlled query parameter in the project_bulk_archive… | |||
| CVE-2026-24039 | 0.00 | — | 0.00 | Jan 22, 2026 | Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or… | |||
| CVE-2026-24038 | 0.00 | — | 0.00 | Jan 22, 2026 | Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the… | |||
| CVE-2026-24037 | 0.00 | — | 0.00 | Jan 22, 2026 | Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass.… | |||
| CVE-2026-24036 | 0.00 | — | 0.00 | Jan 22, 2026 | Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and… | |||
| CVE-2026-24035 | 0.00 | — | 0.00 | Jan 22, 2026 | Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another… | |||
| CVE-2026-24034 | 0.00 | — | 0.00 | Jan 22, 2026 | Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue. | |||
| CVE-2026-24010 | 0.00 | — | 0.00 | Jan 22, 2026 | Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile… | |||
| CVE-2025-59832 | 0.00 | — | 0.00 | Sep 25, 2025 | Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, there is a stored XSS vulnerability in the ticket comment editor. A low-privilege authenticated user could run arbitrary JavaScript in an admin’s browser, exfiltrate the… | |||
| CVE-2025-59525 | 0.00 | — | 0.00 | Sep 24, 2025 | Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed ), which can be chained to execute JavaScript whenever users view impacted content… | |||
| CVE-2025-59524 | 0.00 | — | 0.00 | Sep 24, 2025 | Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, the file upload flow performs validation only in the browser and does not enforce server-side checks. An attacker can bypass the client-side validation (for example, with an… | |||
| CVE-2025-48867 | 0.00 | — | 0.00 | Sep 24, 2025 | Horilla is a free and open source Human Resource Management System (HRMS). A stored cross-site scripting (XSS) vulnerability in Horilla HRM 1.3.0 allows authenticated admin or privileged users to inject malicious JavaScript payloads into multiple fields in the Project and Task… | |||
| CVE-2025-48869 | 0.00 | — | 0.00 | Sep 24, 2025 | Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, allowing attackers to… | |||
| CVE-2025-47789 | 0.00 | — | 0.00 | May 15, 2025 | Horilla is a free and open source Human Resource Management System (HRMS). In versions up to and including 1.3, an attacker can craft a Horilla URL that refers to an external domain. Upon clicking and logging in, the user is redirected to an external domain. This allows the… |
- risk 0.56cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the…
- risk 0.46cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose…
- risk 0.46cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This…
- risk 0.24cvss —epss 0.00
Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects.
- risk 0.23cvss 3.5epss 0.00
A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out…
- risk 0.21cvss 4.3epss 0.00
A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horilla_generics/global_search.py of the component Query Parameter Handler. The manipulation of the argument prev_url results in open redirect. The attack can…
- CVE-2025-48868Sep 24, 2025risk 0.03cvss —epss 0.02
Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) vulnerability exists in Horilla 1.3.0 due to the unsafe use of Python’s eval() function on a user-controlled query parameter in the project_bulk_archive…
- CVE-2026-24039Jan 22, 2026risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or…
- CVE-2026-24038Jan 22, 2026risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the…
- CVE-2026-24037Jan 22, 2026risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass.…
- CVE-2026-24036Jan 22, 2026risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and…
- CVE-2026-24035Jan 22, 2026risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another…
- CVE-2026-24034Jan 22, 2026risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue.
- CVE-2026-24010Jan 22, 2026risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile…
- CVE-2025-59832Sep 25, 2025risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, there is a stored XSS vulnerability in the ticket comment editor. A low-privilege authenticated user could run arbitrary JavaScript in an admin’s browser, exfiltrate the…
- CVE-2025-59525Sep 24, 2025risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed ), which can be chained to execute JavaScript whenever users view impacted content…
- CVE-2025-59524Sep 24, 2025risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, the file upload flow performs validation only in the browser and does not enforce server-side checks. An attacker can bypass the client-side validation (for example, with an…
- CVE-2025-48867Sep 24, 2025risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). A stored cross-site scripting (XSS) vulnerability in Horilla HRM 1.3.0 allows authenticated admin or privileged users to inject malicious JavaScript payloads into multiple fields in the Project and Task…
- CVE-2025-48869Sep 24, 2025risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, allowing attackers to…
- CVE-2025-47789May 15, 2025risk 0.00cvss —epss 0.00
Horilla is a free and open source Human Resource Management System (HRMS). In versions up to and including 1.3, an attacker can craft a Horilla URL that refers to an external domain. Upon clicking and logging in, the user is redirected to an external domain. This allows the…
Page 1 of 2