CVE-2026-41513 MEDIUM

CVE-2026-41513: Horilla: Open Redirect via Unvalidated `next` Parameter in Notification Endpoints

Vendor Horilla

Product horilla-hr

Weakness CWE-601 · Open redirect

Published May 12, 2026

Last update May 13, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects.

Key dates

02Disclosure timeline

May 12, 2026 CVE published

May 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41513 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

CVE-2026-41513: Horilla: Open Redirect via Unvalidated `next` Parameter in Notification Endpoints

01Description

02Disclosure timeline

03References

04Related CVE