Description
Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects.
Published: 2026-05-12
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Horilla, an HR and CRM platform, allows an attacker to manipulate the unvalidated next query parameter in its notification endpoints. The flaw enables an arbitrary external URL to be redirected to from within the application, allowing the attacker to transform trusted links into phishing or social‑engineering attacks. The vulnerability directly compromises user trust and could facilitate credential theft or malware delivery if users navigate to malicious sites.

Affected Systems

The affected product is Horilla HR (horilla:horilla-hr), version 1.5.0. No other versions are explicitly listed as impacted in the available data.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate severity when combined with limited exploitation controls. EPSS is not available, and the flaw is not listed in CISA KEV, suggesting no publicly known widespread exploitation yet. The likely attack vector is through a web request that includes a crafted next parameter, which the application trusts and redirects users without validation. An attacker can embed a malicious link that, when visited by a user, will redirect to the attacker controlled domain, enabling phishing or social‑engineering scenarios.

Generated by OpenCVE AI on May 12, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Horilla update that includes validation of the next parameter if an official patch is released; if not available, patch the source by restricting allowed redirect URLs to the application domain.
  • Deploy a web application firewall rule to block or warn on redirects to external domains.
  • Monitor user activity for suspicious redirection patterns, and instruct users to verify the destination before proceeding with external links.

Generated by OpenCVE AI on May 12, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Horilla
Horilla horilla
Vendors & Products Horilla
Horilla horilla

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects.
Title Horilla: Open Redirect via Unvalidated `next` Parameter in Notification Endpoints
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Horilla Horilla
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T12:43:21.433Z

Reserved: 2026-04-20T18:18:50.681Z

Link: CVE-2026-41513

cve-icon Vulnrichment

Updated: 2026-05-13T12:42:04.687Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T18:17:22.697

Modified: 2026-05-13T16:10:57.817

Link: CVE-2026-41513

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:15:06Z

Weaknesses