CVE-2025-59525
- Source
- https://cve.org/CVERecord?id=CVE-2025-59525
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59525.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-59525
- Aliases
-
- GHSA-rp5m-vpqr-vpvp
- Published
- 2025-09-24T18:15:12.850Z
- Modified
- 2026-04-10T05:32:06.810043Z
- Severity
-
- 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N CVSS Calculator
- Summary
- Horilla has Improper Input Sanitization Leading to XSS and Admin Account Takeover
- Details
-
Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0.
- Database specific
{ "cwe_ids": [ "CWE-434", "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59525.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/Mmo-kali/CVE/blob/main/CVE-2025-59525/2025-08-Horilla_Vulnerability_2.pdf
- https://github.com/horilla-opensource/horilla/releases/tag/1.4.0
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59525.json
- https://github.com/horilla-opensource/horilla/security/advisories/GHSA-rp5m-vpqr-vpvp
- https://nvd.nist.gov/vuln/detail/CVE-2025-59525