Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for horilla-hr by horilla

    CVE-2026-41513 (GCVE-0-2026-41513)

    Vulnerability from nvd – Published: 2026-05-12 16:43 – Updated: 2026-05-13 12:43
    VLAI
    Title
    Horilla: Open Redirect via Unvalidated `next` Parameter in Notification Endpoints
    Summary
    Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    horilla horilla-hr Affected: <= 1.5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41513",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T12:42:34.845938Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T12:43:21.433Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-vqg4-fc32-cwvw"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "horilla-hr",
              "vendor": "horilla",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 1.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T16:43:50.706Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-vqg4-fc32-cwvw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-vqg4-fc32-cwvw"
            },
            {
              "name": "https://github.com/horilla/horilla-hr/commit/734f0c7ed4ac96fe8615d1b592180ea8a46eb8b6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/horilla/horilla-hr/commit/734f0c7ed4ac96fe8615d1b592180ea8a46eb8b6"
            }
          ],
          "source": {
            "advisory": "GHSA-vqg4-fc32-cwvw",
            "discovery": "UNKNOWN"
          },
          "title": "Horilla: Open Redirect via Unvalidated `next` Parameter in Notification Endpoints"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41513",
        "datePublished": "2026-05-12T16:43:50.706Z",
        "dateReserved": "2026-04-20T18:18:50.681Z",
        "dateUpdated": "2026-05-13T12:43:21.433Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41513 (GCVE-0-2026-41513)

    Vulnerability from cvelistv5 – Published: 2026-05-12 16:43 – Updated: 2026-05-13 12:43
    VLAI
    Title
    Horilla: Open Redirect via Unvalidated `next` Parameter in Notification Endpoints
    Summary
    Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    References
    Impacted products
    Vendor Product Version
    horilla horilla-hr Affected: <= 1.5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41513",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T12:42:34.845938Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T12:43:21.433Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-vqg4-fc32-cwvw"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "horilla-hr",
              "vendor": "horilla",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= 1.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T16:43:50.706Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-vqg4-fc32-cwvw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-vqg4-fc32-cwvw"
            },
            {
              "name": "https://github.com/horilla/horilla-hr/commit/734f0c7ed4ac96fe8615d1b592180ea8a46eb8b6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/horilla/horilla-hr/commit/734f0c7ed4ac96fe8615d1b592180ea8a46eb8b6"
            }
          ],
          "source": {
            "advisory": "GHSA-vqg4-fc32-cwvw",
            "discovery": "UNKNOWN"
          },
          "title": "Horilla: Open Redirect via Unvalidated `next` Parameter in Notification Endpoints"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41513",
        "datePublished": "2026-05-12T16:43:50.706Z",
        "dateReserved": "2026-04-20T18:18:50.681Z",
        "dateUpdated": "2026-05-13T12:43:21.433Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }