CVE-2026-24034 – Horilla HRMS versions before 1.5.0 contain a cr... (How to Fix)

Q: What is the severity of CVE-2026-24034?

CVE-2026-24034 has a CVSS score of 5.4 (MEDIUM). Horilla HRMS versions before 1.5.0 contain a cross-site scripting vulnerability in the profile photo upload functionality. Attackers can upload malicious files that execute JavaScript in victims' browsers when viewed. This affects all organizations using vulnerable Horilla installations.

📋 TL;DR

Horilla HRMS versions before 1.5.0 contain a cross-site scripting vulnerability in the profile photo upload functionality. Attackers can upload malicious files that execute JavaScript in victims' browsers when viewed. This affects all organizations using vulnerable Horilla installations.

💻 Affected Systems

Products:

Horilla HRMS

Versions: All versions prior to 1.5.0

Operating Systems: All platforms running Horilla

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with profile photo upload functionality enabled are vulnerable.

📦 What is this software?

Horilla by Horilla

View all CVEs affecting Horilla →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Attackers could steal user credentials or session tokens, leading to unauthorized access to HR data and systems.

🟢

If Mitigated

With proper input validation and content-type checking, malicious scripts would be blocked before execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to upload profile photos, but the attack vector is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.0

Vendor Advisory: https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p

Restart Required: Yes

Instructions:

1. Backup your Horilla installation and database. 2. Download version 1.5.0 from GitHub releases. 3. Replace existing files with new version. 4. Restart the web server. 5. Verify functionality.

🔧 Temporary Workarounds

Disable profile photo upload

all

Temporarily disable the profile photo upload functionality in Horilla settings

Web Application Firewall rules

all

Implement WAF rules to block malicious file uploads and XSS payloads

🧯 If You Can't Patch

Implement strict file upload validation at the web server level
Use Content Security Policy headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check Horilla version in admin panel or by examining version files. If version is below 1.5.0, system is vulnerable.

Check Version:

Check Horilla version in admin interface or examine version.txt file in installation directory

Verify Fix Applied:

After upgrading to 1.5.0, verify that file uploads now validate both file extension and content-type headers.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with suspicious extensions
Multiple failed upload attempts
Uploads with mismatched content-type headers

Network Indicators:

HTTP POST requests to profile photo upload endpoints with unusual payloads

SIEM Query:

source="web_server" AND (uri="/upload/profile" OR uri="/profile/photo") AND (file_extension="html" OR file_extension="htm" OR content_type="text/html")

📊 Metadata

CVE ID: CVE-2026-24034

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-434

EPSS Score: 0.01% exploit probability (0.9th percentile)

Published: January 22, 2026

Last Updated: January 29, 2026

🔗 References

https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 Release Notes
https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24034, you might also want to check these: