Description
A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horilla_generics/global_search.py of the component Query Parameter Handler. The manipulation of the argument prev_url results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.3 is capable of addressing this issue. The patch is identified as 730b5a44ff060916780c44a4bdbc8ced70a2cd27. The affected component should be upgraded.
Published: 2026-02-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises in horilla-opensource horilla when an attacker manipulates the prev_url argument in the global_search.py module, causing the application to redirect to a supplied URL. Classified as CWE-601, this open redirect flaw can be exploited remotely; based on the description it is inferred that this may facilitate phishing or lure users to malicious sites, potentially compromising trust and exposing sensitive data.

Affected Systems

Affected versions include horilla-opensource horilla up to 1.0.2, with the vulnerability introduced in commit 730b5a44 and fixed in release 1.0.3. Administrators should check for these versions and determine whether the patch has been applied.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate risk, while the EPSS rate of less than 1% suggests a low likelihood of exploitation at present. Based on the publicly documented remote attack capability, it is inferred that remediation is warranted to prevent user deception.

Generated by OpenCVE AI on April 18, 2026 at 17:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the horilla 1.0.3 release or apply the specific patch commit 730b5a44 to remove the prev_url redirect flaw.
  • If the prev_url parameter remains exposed, enforce validation or whitelisting so redirects only go to known, trusted domains.
  • Conduct a web-application security scan or manual testing to confirm that requests containing arbitrary URLs no longer result in a redirect.

Generated by OpenCVE AI on April 18, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 00:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horilla_generics/global_search.py of the component Query Parameter Handler. The manipulation of the argument prev_url results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.3 is capable of addressing this issue. The patch is identified as 730b5a44ff060916780c44a4bdbc8ced70a2cd27. The affected component should be upgraded.
Title horilla-opensource horilla Query Parameter global_search.py get redirect
First Time appeared Horilla
Horilla horilla
Weaknesses CWE-601
CPEs cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:*
Vendors & Products Horilla
Horilla horilla
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Horilla Horilla
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-26T14:47:02.181Z

Reserved: 2026-02-23T17:41:53.245Z

Link: CVE-2026-3049

cve-icon Vulnrichment

Updated: 2026-02-26T14:46:51.809Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T01:16:16.087

Modified: 2026-02-25T20:13:39.507

Link: CVE-2026-3049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses