CVE-2025-48868

Name of the Vulnerable Software and Affected Versions Horilla versions prior to 1.3.1

Description Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) issue exists due to the unsafe use of Python’s eval() function on a user-controlled query parameter in the project bulk archive view. This allows privileged users, such as administrators, to execute arbitrary system commands on the server. Exploitation is possible even when Django’s DEBUG mode is set to False, by using blind payloads like a reverse shell, resulting in full remote code execution.

Recommendations Update to version 1.3.1 or later.