{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24010", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-19T18:49:20.660Z", "datePublished": "2026-01-22T02:37:19.130Z", "dateUpdated": "2026-01-22T12:48:02.914Z"}, "containers": {"cna": {"title": "Horilla has HTML Injection Issue that, with Phishing, Leads to Account Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-474", "lang": "en", "description": "CWE-474: Use of Function with Inconsistent Implementations", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}}], "references": [{"name": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3"}, {"name": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0"}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"version": "< 1.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T02:37:19.130Z"}, "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking \"Session Expired\" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue."}], "source": {"advisory": "GHSA-5jfv-gw8w-49h3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T12:47:16.513885Z", "id": "CVE-2026-24010", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T12:48:02.914Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24010", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-22T12:47:16.513885Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T12:47:58.389Z"}}], "cna": {"title": "Horilla has HTML Injection Issue that, with Phishing, Leads to Account Takeover", "source": {"advisory": "GHSA-5jfv-gw8w-49h3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"status": "affected", "version": "< 1.5.0"}]}], "references": [{"url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3", "name": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "name": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking \"Session Expired\" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-474", "description": "CWE-474: Use of Function with Inconsistent Implementations"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T02:37:19.130Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24010", "state": "PUBLISHED", "dateUpdated": "2026-01-22T12:48:02.914Z", "dateReserved": "2026-01-19T18:49:20.660Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-22T02:37:19.130Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:*", "matchCriteriaId": "57934F7E-B93F-40A5-9E9A-CB97D7568936", "versionEndExcluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking \"Session Expired\" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue."}], "id": "CVE-2026-24010", "lastModified": "2026-01-29T20:00:49.013", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-22T03:15:48.090", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-474"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:27:43.735518+00:00", "value": {"mitigation_remediation": ["Upgrade Horilla to version 1.5.0 or newer, which contains the fix for the file upload bug.", "Reconfigure the HRMS file\u2011upload feature to reject .htm and .html file extensions, allowing only safe image formats such as .jpg and .png.", "Place the upload directory outside the web\u2011root or configure the web server to serve uploaded files as text/plain or with strict MIME type checks to prevent execution of any embedded HTML content."], "summary": {"action": "Apply Patch", "impact": "Account Takeover"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all deployments of Horilla HRMS running any version prior to 1.5.0. The affected product is the Horilla open-source HRMS, which lacks proper validation of uploaded file types.", "description_and_impact": "A critical file upload flaw exists in Horilla HRMS versions before 1.5.0 that permits authenticated users to upload a malicious HTML file disguised as a profile picture. The attacker can then host that file on the platform, presenting a convincing replica of the login page that captures credentials when a victim visits the URL. This enables a stealthy credential stealing attack that can culminate in full account takeover. The likely attack vector is an authenticated user uploading a deceptive file, followed by social engineering to lure a victim to the hosted page.", "risk_and_exploitability": "The CVSS score for this issue is 8.0 and the EPSS indicates an exploitation probability of less than 1%, suggesting the flaw is considered high severity but currently low likelihood of being actively exploited. It is not listed in the CISA KEV catalog, and exploiting it requires an attacker to first obtain an authenticated session to upload the malicious file before persuading a victim to visit the crafted URL. The combination of these prerequisites results in a moderate exploitation risk for organizations that have active user bases and publicly expose the upload directory."}}}}, "created": "2026-01-22T10:07:55.265519+00:00", "updated": "2026-04-18T15:30:03.967478+00:00", "vendors": ["horilla", "horilla$PRODUCT$horilla"]}