CVE-2026-24037
📋 TL;DR
This CVE describes an XSS vulnerability in Horilla HRMS version 1.4.0 where incomplete regex patterns in the has_xss() function allow attackers to bypass XSS protection. Attackers can redirect users to malicious sites, execute external JavaScript, and steal CSRF tokens to launch CSRF attacks against administrators. All users running Horilla HRMS version 1.4.0 are affected.
💻 Affected Systems
- Horilla HRMS
📦 What is this software?
Horilla by Horilla
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal admin CSRF tokens and perform CSRF attacks to compromise admin accounts, potentially gaining full control over the HRMS system and sensitive employee data.
Likely Case
Attackers inject malicious scripts to redirect users to phishing sites or steal session cookies, leading to account compromise and data theft.
If Mitigated
With proper input validation and output encoding, XSS attacks are prevented, limiting impact to attempted but unsuccessful attacks.
🎯 Exploit Status
XSS bypass techniques are well-documented and easy to implement against incomplete regex filters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.0
Vendor Advisory: https://github.com/horilla-opensource/horilla/security/advisories/GHSA-rqw5-fjm4-rgvm
Restart Required: Yes
Instructions:
1. Backup your current Horilla installation and database. 2. Download Horilla version 1.5.0 from the official GitHub repository. 3. Replace the existing installation with version 1.5.0 files. 4. Restart the web server service. 5. Verify the update by checking the version in the admin panel.
🔧 Temporary Workarounds
Implement WAF with XSS Protection
allDeploy a web application firewall with XSS filtering rules to block malicious payloads before they reach the application.
Enable Content Security Policy
allImplement a strict Content Security Policy header to restrict script execution sources and mitigate XSS impact.
Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Implement input validation and output encoding at the application layer to sanitize user inputs.
- Deploy network segmentation to isolate the HRMS system from critical infrastructure.
🔍 How to Verify
Check if Vulnerable:
Check the Horilla version in the admin panel or by examining the application files. If version is 1.4.0, the system is vulnerable.Check Version:
Check the version in the admin interface or examine the application's version file if available.Verify Fix Applied:
After patching, verify the version shows 1.5.0 in the admin panel and test XSS payloads to confirm they are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in HTTP request logs
- Multiple redirects to external domains
- CSRF token mismatches in authentication logs
Network Indicators:
- Outbound connections to suspicious domains following HRMS access
- Unusual JavaScript file loads from external sources
SIEM Query:
source="web_server_logs" AND (uri="*<script>*" OR uri="*javascript:*" OR uri="*onload=*" OR status=302 AND referer="*horilla*")