CVE-2025-48867 — MEDIUM (4.8)

Vulnerability Description

Horilla is a free and open source Human Resource Management System (HRMS). A stored cross-site scripting (XSS) vulnerability in Horilla HRM 1.3.0 allows authenticated admin or privileged users to inject malicious JavaScript payloads into multiple fields in the Project and Task modules. These payloads persist in the database and are executed when viewed by an admin or other privileged users through the web interface. Although the issue is not exploitable by unauthenticated users, it still poses a high risk of session hijacking and unauthorized action within high-privilege accounts. At time of publication there is no known patch.

CVSS Score

4.8

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Horilla	Horilla	1.3

Related Weaknesses (CWE)

CWE-79

References

https://github.com/horilla-opensource/horilla/security/advisories/GHSA-w242-xv47ExploitVendor Advisory

FAQ

What is CVE-2025-48867?

CVE-2025-48867 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Horilla is a free and open source Human Resource Management System (HRMS). A stored cross-site scripting (XSS) vulnerability in Horilla HRM 1.3.0 allows authenticated admin or privileged users to inje...

How severe is CVE-2025-48867?

CVE-2025-48867 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-48867?

Check the references section above for vendor advisories and patch information. Affected products include: Horilla Horilla.