CVE-2025-59524 is a high-severity cross-site scripting (XSS) vulnerability affecting versions of the Horilla Human Resource Management System (HRMS) prior to 1.4.0. Horilla is an open-source HRMS platform used to manage employee data and related workflows. The vulnerability arises from improper input validation during the file upload process. Specifically, the system relies solely on client-side validation to restrict uploaded file types, without enforcing server-side checks. An attacker can bypass client-side controls by crafting malicious requests or using an intercepting proxy to upload executable HTML files containing embedded scripts. When a privileged user, such as an administrator, views the uploaded file within the application, the embedded script executes in the context of the user’s browser session. This allows the attacker to steal session cookies or other credentials and send them to an attacker-controlled endpoint. With these credentials, the attacker can impersonate the administrator, gaining unauthorized access to sensitive HR data and administrative functions. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., XSS) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue was addressed and patched in Horilla version 1.4.0 by implementing proper server-side validation to prevent malicious file uploads. The CVSS 4.0 base score is 7.7 (high severity), reflecting the vulnerability’s network attack vector, low attack complexity, no privileges or user interaction required, and significant impact on integrity and confidentiality due to session hijacking and privilege escalation. No known exploits are currently reported in the wild, but the vulnerability’s nature and ease of exploitation make it a critical risk for organizations using affected versions of Horilla.

For European organizations using Horilla HRMS versions prior to 1.4.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive employee and organizational data. Successful exploitation enables attackers to hijack administrator sessions, potentially leading to unauthorized access to personnel records, payroll information, and other confidential HR data. This can result in data breaches, identity theft, and compliance violations under regulations such as GDPR. Additionally, attacker control over administrative functions could allow manipulation or deletion of HR data, disrupting business operations and damaging organizational trust. The lack of required authentication or user interaction lowers the barrier for exploitation, increasing the likelihood of attacks. Given the critical role HRMS systems play in managing sensitive personal data, exploitation could also lead to reputational damage and legal consequences for affected European entities. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, are particularly vulnerable to the adverse effects of this vulnerability.

European organizations should immediately verify their Horilla HRMS version and upgrade to version 1.4.0 or later, where the vulnerability is patched with proper server-side validation of uploaded files. Until the upgrade is applied, organizations should implement compensating controls such as disabling file upload functionality if feasible or restricting upload permissions strictly to trusted users. Deploying web application firewalls (WAFs) with rules to detect and block malicious HTML or script content in file uploads can provide additional protection. Monitoring logs for unusual file upload activity and access patterns to HRMS administrative interfaces can help detect exploitation attempts early. Organizations should also conduct security awareness training for administrators to recognize suspicious files and avoid opening untrusted uploads. Regular vulnerability scanning and penetration testing focused on file upload mechanisms will help ensure no similar weaknesses exist. Finally, organizations must review and enforce strict content security policies (CSP) in their HRMS deployment to limit the impact of any potential script execution.