CVE-2026-24010
📋 TL;DR
Horilla HRMS versions before 1.5.0 contain a critical file upload vulnerability that allows authenticated users to upload malicious HTML files disguised as profile pictures. This enables phishing attacks where victims are tricked into entering credentials on fake login pages, leading to account takeover. All organizations running affected Horilla versions are at risk.
💻 Affected Systems
- Horilla HRMS
📦 What is this software?
Horilla by Horilla
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the HRMS system with stolen administrator credentials leading to exposure of sensitive employee data, payroll information, and potential lateral movement to other systems.
Likely Case
Multiple user accounts compromised through credential theft, leading to unauthorized access to HR data, potential data exfiltration, and business disruption.
If Mitigated
Limited impact with only low-privilege accounts potentially compromised if proper network segmentation and monitoring are in place.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once access is obtained. Social engineering element increases effectiveness.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.0
Vendor Advisory: https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3
Restart Required: Yes
Instructions:
1. Backup your Horilla database and configuration. 2. Download version 1.5.0 from GitHub releases. 3. Replace existing installation with new version. 4. Restart the Horilla service. 5. Verify functionality.
🔧 Temporary Workarounds
Restrict File Upload Types
allConfigure web server or application to block HTML file uploads at profile picture endpoint
# Configure nginx: location ~* \.(html|htm)$ { deny all; }
# Configure Apache: <FilesMatch "\.(html|htm)$"> Require all denied </FilesMatch>
Implement Content-Type Validation
allAdd server-side validation to reject non-image content types for profile picture uploads
# Example Python validation: if not file.content_type.startswith('image/'): raise ValidationError('Only image files allowed')
🧯 If You Can't Patch
- Implement strict WAF rules to block HTML file uploads and monitor for suspicious upload attempts
- Disable profile picture upload functionality entirely until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check Horilla version in admin panel or via package manager. Versions below 1.5.0 are vulnerable.Check Version:
# Check version in Horilla admin interface or via: python manage.py --versionVerify Fix Applied:
After upgrading to 1.5.0, attempt to upload an HTML file as a profile picture - this should be rejected.📡 Detection & Monitoring
Log Indicators:
- HTML file upload attempts to profile picture endpoint
- Unusual file size or type for profile pictures
- Multiple failed upload attempts
Network Indicators:
- Outbound connections to suspicious domains following file uploads
- Unusual POST requests to upload endpoints with HTML content
SIEM Query:
source="horilla_logs" AND (file_extension="html" OR file_extension="htm") AND endpoint="*/upload/profile_picture"