CVE-2025-48869 | THREATINT

Description

Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, allowing attackers to retrieve sensitive candidate information without authentication. At time of publication there is no known patch.

PUBLISHED Reserved 2025-05-27 | Published 2025-09-24 | Updated 2025-09-24 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-284: Improper Access Control

Product status

= 1.3.0

affected

References

github.com/...orilla/security/advisories/GHSA-99h5-x29f-727w

cve.org (CVE-2025-48869)

nvd.nist.gov (CVE-2025-48869)

Download JSON