Vulnerability Details CVE-2026-24010
Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 18.7%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2026-24010
-
cpe:2.3:a:horilla:horilla:1.0.0
-
cpe:2.3:a:horilla:horilla:1.1.0
-
cpe:2.3:a:horilla:horilla:1.2.0
-
cpe:2.3:a:horilla:horilla:1.2.1
-
cpe:2.3:a:horilla:horilla:1.2.2
-
cpe:2.3:a:horilla:horilla:1.2.3
-
cpe:2.3:a:horilla:horilla:1.3
-
cpe:2.3:a:horilla:horilla:1.3.1
-
cpe:2.3:a:horilla:horilla:1.3.2
-
cpe:2.3:a:horilla:horilla:1.4.0