HIGH🇬🇧 English

CVE-2026-24010

CVSS 8.0v3.1pub. 2026-01-22upd. 2026-01-29

Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
  • Horilla

    APP
    Horilla
    < 1.5.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2025-59832CRITICAL9.9PL ✓ten sam produkt

Stored XSS w edytorze komentarzy Horilla HRMS — przejęcie sesji admina

CVE-2026-24038HIGH8.1ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling ...

CVE-2025-59525HIGH7.7ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sa...

CVE-2025-48869HIGH7.5ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access up...

CVE-2025-48868HIGH7.2ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execut...

CVE-2026-24010 — HIGH 8.0 | CVEbaza.pl