📦 Horilla
by Horilla
🔍 What is Horilla?
Description coming soon...
🛡️ Security Overview
Click on a severity to filter vulnerabilities
⚠️ Known Vulnerabilities
A stored cross-site scripting (XSS) vulnerability in Horilla HRMS allows low-privilege authenticated users to inject malicious JavaScript into ticket comments. When administrators view these comments,...
This vulnerability allows attackers to bypass two-factor authentication in Horilla HRMS by omitting the OTP field from authentication requests. When the OTP expires, the server returns None, and if th...
Horilla HRMS versions before 1.5.0 contain a critical file upload vulnerability that allows authenticated users to upload malicious HTML files disguised as profile pictures. This enables phishing atta...
Horilla HRMS version 1.3.0 contains an authenticated Remote Code Execution vulnerability where privileged users (like administrators) can execute arbitrary system commands on the server. The vulnerabi...
CVE-2026-24039 is an improper access control vulnerability in Horilla HRMS version 1.4.0 that allows low-privileged employees to self-approve documents they uploaded. This undermines HR process integr...
Horilla HRMS versions before 1.5.0 contain a cross-site scripting vulnerability in the profile photo upload functionality. Attackers can upload malicious files that execute JavaScript in victims' brow...
This vulnerability allows any authenticated employee in Horilla HRMS to upload documents on behalf of any other employee without proper authorization. It affects organizations using Horilla HR Softwar...
This vulnerability in Horilla HRMS allows unauthenticated attackers to view unpublished job postings through an exposed API endpoint. Organizations using Horilla versions 1.4.0 and above are affected,...
This CVE describes an XSS vulnerability in Horilla HRMS version 1.4.0 where incomplete regex patterns in the has_xss() function allow attackers to bypass XSS protection. Attackers can redirect users t...
This is an open redirect vulnerability in Horilla HRMS that allows attackers to craft URLs that redirect users to external malicious domains after login. Attackers can use this to create convincing ph...
A critical deserialization vulnerability in horilla up to version 1.2.1 allows remote attackers to execute arbitrary code by manipulating specific functions. This affects all systems running vulnerabl...
This CVE describes a cross-site scripting (XSS) vulnerability in Horilla CRM's Leads Module. Attackers can inject malicious scripts via the Notes argument in the global.js file, potentially compromisi...