CVE-2026-24037 MEDIUM

CVE-2026-24037: Horilla HRM has XSS Bypass through Project Name

Vendor Horilla-Opensource

Product horilla

Weakness CWE-79 · XSS

Published January 22, 2026

Last update January 22, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to redirect users to malicious domains, run external JavaScript, and steal CSRF tokens that can be used to craft CSRF attacks against admins. This issue has been fixed in version 1.5.0.

Key dates

02Disclosure timeline

January 22, 2026 CVE published

January 22, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24037 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-24037: Horilla HRM has XSS Bypass through Project Name

01Description

02Disclosure timeline

03References

04Related CVE