PT-2026-33317 · Horilla · Horilla

Published

2026-04-16

Updated

2026-04-22

CVE-2026-40867

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions Horilla version 1.5.0

Description A broken access control issue in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by modifying the attachment ID. This flaw can lead to the exposure of sensitive support files and internal documents across unrelated users or teams.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Access Control

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-639

Related Identifiers

CVE-2026-40867

Affected Products

Horilla

PT-2026-33317 · Horilla · Horilla

CVE-2026-40867

Weakness Enumeration

Related Identifiers

Affected Products

References · 5