CVE-2026-24010
Published: 22 January 2026
Summary
CVE-2026-24010 is a high-severity Injection (CWE-74) vulnerability in Horilla Horilla. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses improper neutralization of special elements in file uploads by validating content and type to block malicious HTML disguised as profile pictures.
Restricts types and quantities of uploaded files to safe formats like images, preventing unrestricted upload of dangerous HTML files.
Governs publicly releasable content to restrict access to user-uploaded files, mitigating phishing via publicly accessible malicious HTML URLs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
File upload vuln directly allows hosting of malicious HTML phishing pages accessible via public URL, enabling spearphishing links for credential capture.
NVD Description
Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as…
more
a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.
Deeper analysisAI
CVE-2026-24010 is a critical file upload vulnerability in Horilla, a free and open-source Human Resource Management System (HRMS), affecting versions prior to 1.5.0. Published on 2026-01-22, the flaw enables authenticated users to upload malicious HTML files disguised as profile pictures, facilitating phishing attacks through improper file handling. It carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is linked to CWEs-74 (Improper Neutralization of Special Elements), CWE-474 (Comparison of Classes by Name), and CWE-434 (Unrestricted Upload of File with Dangerous Type).
An authenticated attacker with low privileges can exploit this vulnerability by uploading a malicious HTML file that mimics Horilla's login page. Using social engineering, the attacker tricks a victim into visiting the publicly accessible URL of the uploaded file, where they encounter a convincing "Session Expired" message prompting re-authentication. The victim's entered credentials are captured and sent to the attacker's server, enabling full account takeover and potential further compromise within the HRMS environment.
Horilla version 1.5.0 fully patches this issue by addressing the file upload restrictions. Administrators are advised to immediately upgrade to version 1.5.0 or later. Additional details are available in the GitHub security advisory (GHSA-5jfv-gw8w-49h3) at https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3 and the release notes at https://github.com/horilla-opensource/horilla/releases/tag/1.5.0.
Details
- CWE(s)