CVE-2026-24010 (GCVE-0-2026-24010)
Vulnerability from cvelistv5 – Published: 2026-01-22 02:37 – Updated: 2026-01-22 12:48
VLAI
Title
Horilla has HTML Injection Issue that, with Phishing, Leads to Account Takeover
Summary
Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/horilla-opensource/horilla/sec… | x_refsource_CONFIRM |
| https://github.com/horilla-opensource/horilla/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| horilla-opensource | horilla |
Affected:
< 1.5.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24010",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T12:47:16.513885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T12:48:02.914Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "horilla",
"vendor": "horilla-opensource",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking \"Session Expired\" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker\u0027s server, enabling Account Takeover. Version 1.5.0 patches the issue."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-474",
"description": "CWE-474: Use of Function with Inconsistent Implementations",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T02:37:19.130Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3"
},
{
"name": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0"
}
],
"source": {
"advisory": "GHSA-5jfv-gw8w-49h3",
"discovery": "UNKNOWN"
},
"title": "Horilla has HTML Injection Issue that, with Phishing, Leads to Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24010",
"datePublished": "2026-01-22T02:37:19.130Z",
"dateReserved": "2026-01-19T18:49:20.660Z",
"dateUpdated": "2026-01-22T12:48:02.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-24010",
"date": "2026-06-29",
"epss": "0.0042",
"percentile": "0.33703"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-24010\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-22T03:15:48.090\",\"lastModified\":\"2026-06-17T10:22:28.417\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking \\\"Session Expired\\\" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker\u0027s server, enabling Account Takeover. Version 1.5.0 patches the issue.\"},{\"lang\":\"es\",\"value\":\"Horilla es un Sistema de Gesti\u00f3n de Recursos Humanos (HRMS) de c\u00f3digo abierto y gratuito. Una vulnerabilidad cr\u00edtica de carga de archivos en versiones anteriores a la 1.5.0, con ingenier\u00eda social, permite a usuarios autenticados desplegar ataques de phishing. Al cargar un archivo HTML malicioso disfrazado como una imagen de perfil, un atacante puede crear una r\u00e9plica convincente de p\u00e1gina de inicio de sesi\u00f3n que roba credenciales de usuario. Cuando una v\u00edctima visita la URL del archivo cargado, ve un mensaje de \u0027Sesi\u00f3n Expirada\u0027 de aspecto aut\u00e9ntico que les solicita volver a autenticarse. Todas las credenciales introducidas son capturadas y enviadas al servidor del atacante, lo que permite la toma de control de cuentas. La versi\u00f3n 1.5.0 corrige el problema.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"horilla-opensource\",\"product\":\"horilla\",\"versions\":[{\"version\":\"\u003c 1.5.0\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-22T12:47:16.513885Z\",\"id\":\"CVE-2026-24010\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"},{\"lang\":\"en\",\"value\":\"CWE-474\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-434\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.5.0\",\"matchCriteriaId\":\"57934F7E-B93F-40A5-9E9A-CB97D7568936\"}]}]}],\"references\":[{\"url\":\"https://github.com/horilla-opensource/horilla/releases/tag/1.5.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24010\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-22T12:47:16.513885Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-22T12:47:58.389Z\"}}], \"cna\": {\"title\": \"Horilla has HTML Injection Issue that, with Phishing, Leads to Account Takeover\", \"source\": {\"advisory\": \"GHSA-5jfv-gw8w-49h3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"horilla-opensource\", \"product\": \"horilla\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.5.0\"}]}], \"references\": [{\"url\": \"https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3\", \"name\": \"https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/horilla-opensource/horilla/releases/tag/1.5.0\", \"name\": \"https://github.com/horilla-opensource/horilla/releases/tag/1.5.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking \\\"Session Expired\\\" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker\u0027s server, enabling Account Takeover. Version 1.5.0 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-474\", \"description\": \"CWE-474: Use of Function with Inconsistent Implementations\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-22T02:37:19.130Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-24010\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-22T12:48:02.914Z\", \"dateReserved\": \"2026-01-19T18:49:20.660Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-22T02:37:19.130Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…