CVE-2026-40866 HIGH

CVE-2026-40866: Horilla: Unauthorized Document Overwrite via File Upload Endpoint

Vendor Horilla-Opensource
Product horilla
Weakness CWE-284
Published April 21, 2026
Last update April 21, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the document ID in the upload request. This enables unauthorized modification of HR records.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 21, 2026 Record updated