Description
Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.
Published: 2026-01-22
Score: 8.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Apply Patch
AI Analysis

Impact

A critical file upload flaw exists in Horilla HRMS versions before 1.5.0 that permits authenticated users to upload a malicious HTML file disguised as a profile picture. The attacker can then host that file on the platform, presenting a convincing replica of the login page that captures credentials when a victim visits the URL. This enables a stealthy credential stealing attack that can culminate in full account takeover. The likely attack vector is an authenticated user uploading a deceptive file, followed by social engineering to lure a victim to the hosted page.

Affected Systems

The vulnerability affects all deployments of Horilla HRMS running any version prior to 1.5.0. The affected product is the Horilla open-source HRMS, which lacks proper validation of uploaded file types.

Risk and Exploitability

The CVSS score for this issue is 8.0 and the EPSS indicates an exploitation probability of less than 1%, suggesting the flaw is considered high severity but currently low likelihood of being actively exploited. It is not listed in the CISA KEV catalog, and exploiting it requires an attacker to first obtain an authenticated session to upload the malicious file before persuading a victim to visit the crafted URL. The combination of these prerequisites results in a moderate exploitation risk for organizations that have active user bases and publicly expose the upload directory.

Generated by OpenCVE AI on April 18, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Horilla to version 1.5.0 or newer, which contains the fix for the file upload bug.
  • Reconfigure the HRMS file‑upload feature to reject .htm and .html file extensions, allowing only safe image formats such as .jpg and .png.
  • Place the upload directory outside the web‑root or configure the web server to serve uploaded files as text/plain or with strict MIME type checks to prevent execution of any embedded HTML content.

Generated by OpenCVE AI on April 18, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
CPEs cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Horilla
Horilla horilla
Vendors & Products Horilla
Horilla horilla

Thu, 22 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.
Title Horilla has HTML Injection Issue that, with Phishing, Leads to Account Takeover
Weaknesses CWE-474
CWE-74
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Horilla Horilla
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T12:48:02.914Z

Reserved: 2026-01-19T18:49:20.660Z

Link: CVE-2026-24010

cve-icon Vulnrichment

Updated: 2026-01-22T12:47:58.389Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T03:15:48.090

Modified: 2026-01-29T20:00:49.013

Link: CVE-2026-24010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses