CVE-2026-41513 | THREATINT

Description

Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects.

PUBLISHED Reserved 2026-04-20 | Published 2026-05-12 | Updated 2026-05-13 | Assigner GitHub_M

MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Product status

<= 1.5.0

affected

References

github.com/...lla-hr/security/advisories/GHSA-vqg4-fc32-cwvw exploit

github.com/...lla-hr/security/advisories/GHSA-vqg4-fc32-cwvw

github.com/...ommit/734f0c7ed4ac96fe8615d1b592180ea8a46eb8b6

cve.org (CVE-2026-41513)

nvd.nist.gov (CVE-2026-41513)

Download JSON