Cyber Resilience

CVE-2025-48868

HighPublic PoCRCE

Published: 24 September 2025

Published
24 September 2025
Modified
29 September 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0563 90.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48868 is a high-severity Eval Injection (CWE-95) vulnerability in Horilla Horilla. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Horilla, an open source Human Resource Management System, contains an authenticated remote code execution vulnerability in version 1.3.0. The flaw stems from unsafe use of Python’s eval() function on a user-controlled query parameter within the project_bulk_archive view, allowing arbitrary command execution on the server. The issue is tracked as CWE-95 and carries a CVSS 3.1 score of 7.2.

Privileged authenticated users such as administrators can exploit the vulnerability to run system commands. Exploitation is simplified when Django DEBUG mode is enabled because command output appears in responses, but blind techniques such as reverse shells succeed even when DEBUG is false, resulting in full remote code execution and complete server compromise.

The project has released version 1.3.1 to address the issue, with the fix documented in the corresponding GitHub commit and security advisory. The EPSS score remains flat at 0.0563 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) vulnerability exists in Horilla 1.3.0 due to the unsafe use of Python’s eval() function on a user-controlled query parameter in the project_bulk_archive…

more

view. This allows privileged users (e.g., administrators) to execute arbitrary system commands on the server. While having Django’s DEBUG=True makes exploitation visibly easier by returning command output in the HTTP response, this is not required. The vulnerability can still be exploited in DEBUG=False mode by using blind payloads such as a reverse shell, leading to full remote code execution. This issue has been patched in version 1.3.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

horilla
horilla
1.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References