CVE-2026-40866

Vulnerability Description

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the document ID in the upload request. This enables unauthorized modification of HR records.

Related Weaknesses (CWE)

CWE-639 CWE-284

References

https://github.com/horilla/horilla-hr/security/advisories/GHSA-q2qh-v828-r4p7
https://github.com/horilla/horilla-hr/security/advisories/GHSA-q2qh-v828-r4p7

FAQ

What is CVE-2026-40866?

CVE-2026-40866 is a documented vulnerability. Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overw...

How severe is CVE-2026-40866?

CVSS scoring is not yet available for CVE-2026-40866. Check NVD for updates.

Is there a patch for CVE-2026-40866?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.