{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24034", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-20T22:30:11.776Z", "datePublished": "2026-01-22T02:41:37.702Z", "dateUpdated": "2026-01-22T12:44:21.620Z"}, "containers": {"cna": {"title": "Horilla has File Upload XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p"}, {"name": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0"}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"version": "< 1.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T02:41:37.702Z"}, "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue."}], "source": {"advisory": "GHSA-mvwg-7c8w-qw2p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T12:43:50.032028Z", "id": "CVE-2026-24034", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T12:44:21.620Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24034", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T12:43:50.032028Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T12:44:18.088Z"}}], "cna": {"title": "Horilla has File Upload XSS", "source": {"advisory": "GHSA-mvwg-7c8w-qw2p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"status": "affected", "version": "< 1.5.0"}]}], "references": [{"url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p", "name": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "name": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-22T02:41:37.702Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24034", "state": "PUBLISHED", "dateUpdated": "2026-01-22T12:44:21.620Z", "dateReserved": "2026-01-20T22:30:11.776Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-22T02:41:37.702Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:*", "matchCriteriaId": "57934F7E-B93F-40A5-9E9A-CB97D7568936", "versionEndExcluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue."}], "id": "CVE-2026-24034", "lastModified": "2026-01-29T19:03:50.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-22T04:15:59.303", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:27:25.945176+00:00", "value": {"mitigation_remediation": ["Upgrade to Horilla 1.5.0 or later to obtain the vendor patch.", "If an upgrade cannot be performed immediately, configure the upload handler to accept only trusted image file extensions (e.g., .jpg, .png, .gif) and verify the MIME type server\u2011side.", "Serve uploaded images with a Content\u2011Disposition header set to attachment and proper Content\u2011Type headers to prevent the file from being executed as script content."], "summary": {"action": "Apply patch", "impact": "Cross\u2011site scripting via file upload"}, "threat_synthesis": {"affected_systems": "Any installation of Horilla running a version earlier than 1.5.0 is vulnerable. The product is identified under horilla\u2011opensource:horilla, with no specific sub\u2011versions listed beyond the confirmed patch release at 1.5.0.", "description_and_impact": "Horilla, an open\u2011source HRMS, allows users to update profile pictures without validating file extensions or MIME types in versions prior to 1.5.0. This allows an attacker to upload a script disguised as an image that is then served and executed in the browser when other users view the profile, giving the attacker code\u2011execution capabilities within victim sessions. The issue is classified as CWE\u2011434, reflecting an improper input validation weakness.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1% coupled with no listing in the CISA KEV catalog suggests a low probability of widespread exploitation. Nevertheless, the vulnerability is easily exploitable once an attacker has the ability to upload a file; any user who views the affected profile could be impacted by the injected script."}}}}, "created": "2026-01-22T10:08:05.508593+00:00", "updated": "2026-04-18T15:30:03.966356+00:00", "vendors": ["horilla", "horilla$PRODUCT$horilla"]}