Description
Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0.
Published: 2026-01-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure of unpublished job posts
Action: Patch
AI Analysis

Impact

A flaw in the Horilla HRMS, identified as a CWE‑284 authentication bypass, exposes draft job titles, descriptions, and application links via the /recruitment/recruitment-details// API endpoint without requiring authentication. This allows any internet user to retrieve sensitive internal hiring data and access the application workflow for unpublished positions, potentially leaking internal hiring strategies and causing confusion among candidates.

Affected Systems

Horilla version 1.4.0 and later releases (including 1.4.0) are vulnerable. The affects the Horilla open‑source project; upgrading to version 1.5.0 removes the flaw. No other vendor or product variants are listed.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity, and the EPSS score of less than 1 % suggests low exploitation probability at present. The vulnerability is not in the CISA KEV catalog. Exploitation requires only a simple HTTP GET request to the vulnerable endpoint, which is publicly reachable; therefore the attack vector is likely network-accessible, and no additional authentication or user interaction is needed.

Generated by OpenCVE AI on April 18, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Horilla 1.5.0 update, which removes the unauthenticated endpoint.
  • If an upgrade cannot be performed immediately, block or restrict access to the /recruitment/recruitment-details// endpoint via firewall or web‑application firewall rules.
  • Disable or remove any public deployment of the Horilla HRMS installation until the update is applied or the endpoint is secured.

Generated by OpenCVE AI on April 18, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:horilla:horilla:1.4.0:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Horilla
Horilla horilla
Vendors & Products Horilla
Horilla horilla

Thu, 22 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 04:00:00 +0000

Type Values Removed Values Added
Description Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0.
Title Horilla Exposes Unpublished Job Disclosures through Unauthenticated API
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Horilla Horilla
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T12:38:10.451Z

Reserved: 2026-01-20T22:30:11.776Z

Link: CVE-2026-24036

cve-icon Vulnrichment

Updated: 2026-01-22T12:38:06.024Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T04:15:59.597

Modified: 2026-01-29T18:58:16.100

Link: CVE-2026-24036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses