Vulnerability Details CVE-2025-59525
Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 7.6%
CVSS Severity
CVSS v3 Score 6.1
References
Products affected by CVE-2025-59525
-
cpe:2.3:a:horilla:horilla:1.0.0
-
cpe:2.3:a:horilla:horilla:1.1.0
-
cpe:2.3:a:horilla:horilla:1.2.0
-
cpe:2.3:a:horilla:horilla:1.2.1
-
cpe:2.3:a:horilla:horilla:1.2.2
-
cpe:2.3:a:horilla:horilla:1.2.3
-
cpe:2.3:a:horilla:horilla:1.3
-
cpe:2.3:a:horilla:horilla:1.3.1
-
cpe:2.3:a:horilla:horilla:1.3.2