CVE-2026-24010 HIGH

CVE-2026-24010: Horilla has HTML Injection Issue that, with Phishing, Leads to Account Takeover

Vendor Horilla-Opensource
Product horilla
Weakness CWE-74
Published January 22, 2026
Last update January 22, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.

Key dates

02Disclosure timeline

January 22, 2026 CVE published
January 22, 2026 Record updated