CVE-2026-24010

Name of the Vulnerable Software and Affected Versions Horilla versions prior to 1.5.0

Description Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload issue, combined with social engineering techniques, allows authenticated users to launch phishing attacks. An attacker can upload a malicious HTML file, disguised as a profile picture, to create a login page replica that steals user credentials. When a victim accesses the uploaded file URL, they encounter a deceptive "Session Expired" message prompting re-authentication. All entered credentials are then sent to the attacker's server, potentially leading to Account Takeover. The vulnerable functionality involves uploading files, specifically HTML files, which are then served to other users. The API endpoint used for file uploads is not specified. The vulnerable parameter is the file upload field for profile pictures.

Recommendations Update Horilla to version 1.5.0 or later.