CVE-2026-24037

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24037

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24037.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24037

Aliases

GHSA-rqw5-fjm4-rgvm

Published

2026-01-22T03:31:37.305Z

Modified

2026-03-01T02:56:47.875890Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Horilla HRM has XSS Bypass through Project Name

Details

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to redirect users to malicious domains, run external JavaScript, and steal CSRF tokens that can be used to craft CSRF attacks against admins. This issue has been fixed in version 1.5.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24037.json"
}

References

Affected packages

Git / github.com/horilla-opensource/horilla

Affected ranges

Type: GIT
Repo: https://github.com/horilla-opensource/horilla
Events: Introduced

aa1a288dd79f3c1c7c1a1cb037fcf4c790c1bb8c

Fixed

a66f8b7ff4c49f39688f24485d228a295f640076

Affected versions

1.*

1.4.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24037.json"