Vulnerability Description
Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Horilla | Horilla | < 1.5.0 |
Related Weaknesses (CWE)
References
- https://github.com/horilla-opensource/horilla/releases/tag/1.5.0Release Notes
- https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8wExploitVendor Advisory
FAQ
What is CVE-2026-24010?
CVE-2026-24010 is a vulnerability with a CVSS score of 8.0 (HIGH). Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deplo...
How severe is CVE-2026-24010?
CVE-2026-24010 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-24010?
Check the references section above for vendor advisories and patch information. Affected products include: Horilla Horilla.