CVE-2025-59832

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-59832

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59832.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-59832

Aliases

GHSA-8x78-6q9g-hv2h

Published

2025-09-25T14:45:19.214Z

Modified

2026-04-10T05:32:13.772993Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator

Summary

Horrila Stored XSS Vulnerability via Ticket Comment section

Details

Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, there is a stored XSS vulnerability in the ticket comment editor. A low-privilege authenticated user could run arbitrary JavaScript in an admin’s browser, exfiltrate the admin’s cookies/CSRF token, and hijack their session. This issue has been patched in version 1.4.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59832.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/horilla-opensource/horilla

Affected ranges

Type: GIT
Repo: https://github.com/horilla-opensource/horilla
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

aa1a288dd79f3c1c7c1a1cb037fcf4c790c1bb8c

Affected versions

1.*

1.0.0

1.1.0

1.2.0

1.2.1

1.2.2

1.2.3

1.3

1.3.1

1.3.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59832.json"