CVE-2026-24038

Name of the Vulnerable Software and Affected Versions Horilla version 1.4.0

Description Horilla, a Human Resource Management System (HRMS), contains a flaw in its two-factor authentication implementation. Specifically, the OTP handling logic has a flawed equality check. When an OTP expires, the server returns None. An attacker can bypass two-factor authentication by omitting the otp field from their POST request, causing the comparison user otp == otp to pass, even without a valid OTP. Targeting administrative accounts could lead to compromise of sensitive HR data and manipulation of employee records. The vulnerable parameter is otp.

Recommendations Update to version 1.5.0 or later.