CVE-2026-24010
- Source
- https://cve.org/CVERecord?id=CVE-2026-24010
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24010.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-24010
- Aliases
-
- GHSA-5jfv-gw8w-49h3
- Published
- 2026-01-22T02:37:19.130Z
- Modified
- 2026-01-30T22:53:35.760776Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Horilla has HTML Injection Issue that, with Phishing, Leads to Account Takeover
- Details
-
Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.
- Database specific
{ "cwe_ids": [ "CWE-474", "CWE-74" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24010.json" }- References