CVE-2025-48868
Published: 24 September 2025
Summary
CVE-2025-48868 is a high-severity Eval Injection (CWE-95) vulnerability in Horilla Horilla. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Horilla, an open source Human Resource Management System, contains an authenticated remote code execution vulnerability in version 1.3.0. The flaw stems from unsafe use of Python’s eval() function on a user-controlled query parameter within the project_bulk_archive view, allowing arbitrary command execution on the server. The issue is tracked as CWE-95 and carries a CVSS 3.1 score of 7.2.
Privileged authenticated users such as administrators can exploit the vulnerability to run system commands. Exploitation is simplified when Django DEBUG mode is enabled because command output appears in responses, but blind techniques such as reverse shells succeed even when DEBUG is false, resulting in full remote code execution and complete server compromise.
The project has released version 1.3.1 to address the issue, with the fix documented in the corresponding GitHub commit and security advisory. The EPSS score remains flat at 0.0563 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-30970
Vulnerability details
Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) vulnerability exists in Horilla 1.3.0 due to the unsafe use of Python’s eval() function on a user-controlled query parameter in the project_bulk_archive…
more
view. This allows privileged users (e.g., administrators) to execute arbitrary system commands on the server. While having Django’s DEBUG=True makes exploitation visibly easier by returning command output in the HTTP response, this is not required. The vulnerability can still be exploited in DEBUG=False mode by using blind payloads such as a reverse shell, leading to full remote code execution. This issue has been patched in version 1.3.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.