CVE-2026-24010 affects horilla, a free and open-source Human Resource Management System (HRMS), in versions prior to 1.5.0. The vulnerability arises from improper neutralization of special elements in output (CWE-74), specifically in the file upload functionality. Authenticated users can upload malicious HTML files disguised as profile pictures. When other users access the URL of the uploaded file, they are presented with a convincing fake login page displaying a "Session Expired" message, prompting them to re-enter credentials. These credentials are then captured and sent to the attacker’s server, enabling account takeover. This attack leverages social engineering combined with the file upload flaw, exploiting trust in profile images to deliver phishing payloads within the application context. The vulnerability has a CVSS 3.0 base score of 8.8, indicating high severity, with network attack vector, low attack complexity, and no user interaction required beyond visiting the malicious URL. The flaw compromises confidentiality (credential theft), integrity (account takeover), and availability (potential account lockout or misuse). The issue is resolved in horilla version 1.5.0, which implements proper output neutralization and file upload restrictions to prevent malicious HTML content. No known exploits are publicly reported yet, but the vulnerability’s nature makes it a significant risk for organizations relying on horilla for HR management.

For European organizations using horilla HRMS, this vulnerability poses a critical risk to user credentials and system integrity. Successful exploitation can lead to widespread account takeovers, exposing sensitive employee data and internal HR processes. This can result in data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and operational disruptions. Since the attack requires authenticated access, insider threats or compromised accounts can be leveraged to escalate impact. The phishing vector embedded within the trusted HRMS environment increases the likelihood of credential harvesting, potentially affecting multiple users. Additionally, attackers gaining access to HR systems can manipulate payroll, personal data, or access other connected enterprise systems, amplifying the damage. The vulnerability’s ease of exploitation and high impact on confidentiality and integrity make it particularly dangerous for organizations with large or sensitive HR datasets.

1. Immediate upgrade to horilla version 1.5.0 or later, which patches the vulnerability by properly neutralizing output and restricting file upload types. 2. Implement strict server-side validation to restrict uploaded file types to safe image formats only (e.g., JPEG, PNG), explicitly blocking HTML or script files. 3. Employ Content Security Policy (CSP) headers to limit execution of malicious scripts from uploaded content. 4. Monitor file upload directories for suspicious files and regularly audit uploaded content. 5. Enforce multi-factor authentication (MFA) to reduce risk from compromised credentials. 6. Educate users about phishing risks, especially within internal applications, to reduce social engineering success. 7. Review and tighten access controls to limit authenticated user privileges to the minimum necessary. 8. Implement web application firewalls (WAF) with rules to detect and block malicious payloads in uploads. 9. Conduct regular security assessments and penetration testing focused on file upload functionalities. 10. Maintain incident response readiness to quickly address any detected exploitation attempts.