CVE-2026-24010 | THREATINT

Description

Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.

PUBLISHED Reserved 2026-01-19 | Published 2026-01-22 | Updated 2026-01-22 | Assigner GitHub_M

HIGH: 8.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-474: Use of Function with Inconsistent Implementations

Product status

< 1.5.0

affected

References

github.com/...orilla/security/advisories/GHSA-5jfv-gw8w-49h3

github.com/horilla-opensource/horilla/releases/tag/1.5.0

cve.org (CVE-2026-24010)

nvd.nist.gov (CVE-2026-24010)

Download JSON