Vulnerability Description
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This exposes sensitive HR files such as identity documents, contracts, certificates, and other private employee records.
Related Weaknesses (CWE)
References
- https://github.com/horilla/horilla-hr/security/advisories/GHSA-85cj-fwjh-fjv7
- https://github.com/horilla/horilla-hr/security/advisories/GHSA-85cj-fwjh-fjv7
FAQ
What is CVE-2026-40865?
CVE-2026-40865 is a documented vulnerability. Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other e...
How severe is CVE-2026-40865?
CVSS scoring is not yet available for CVE-2026-40865. Check NVD for updates.
Is there a patch for CVE-2026-40865?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.