CVE-2025-59525 HIGH

CVE-2025-59525: Horilla has Improper Input Sanitization Leading to XSS and Admin Account Takeover

Vendor Horilla-Opensource

Product horilla

Weakness CWE-79 · XSS

Published September 24, 2025

Last update October 15, 2025

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

What the vulnerability does

01Description

Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0.

Key dates

02Disclosure timeline

September 24, 2025 CVE published

October 15, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-59525 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2025-59525: Horilla has Improper Input Sanitization Leading to XSS and Admin Account Takeover

01Description

02Disclosure timeline

03References

04Related CVE