CVE-2026-24034 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in horilla, a free and open-source Human Resource Management System. In versions prior to 1.5.0, the system fails to properly validate the file extension and content-type during the profile photo update process. This lack of validation enables an authenticated attacker with low privileges to upload files containing malicious scripts. When these files are processed or rendered by the application, they can trigger cross-site scripting (XSS) attacks, potentially allowing the attacker to execute arbitrary scripts in the context of the victim's browser session. The vulnerability affects confidentiality and integrity by enabling theft or manipulation of sensitive HR data and session tokens but does not impact system availability. The CVSS 3.1 base score is 5.4 (medium), reflecting network attack vector, low complexity, required privileges, no user interaction, and limited impact on confidentiality and integrity. The vulnerability was publicly disclosed on January 22, 2026, and fixed in horilla version 1.5.0. There are no known exploits in the wild at this time. Organizations using affected versions should apply the update promptly to prevent exploitation.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of sensitive HR data. Successful exploitation could lead to unauthorized access to employee information, session hijacking, or manipulation of user data via XSS attacks. Since horilla is an HRMS, compromised data could include personally identifiable information (PII), payroll details, and other sensitive records, potentially leading to privacy violations and regulatory non-compliance under GDPR. The requirement for attacker authentication limits the scope to insiders or compromised accounts, but the low complexity of exploitation increases risk. The vulnerability does not affect availability, so denial-of-service is unlikely. Organizations with large HR departments or those relying on horilla for critical HR functions are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future attacks.

European organizations should immediately upgrade horilla to version 1.5.0 or later, where the vulnerability is fixed. Until the update can be applied, implement strict access controls to limit profile photo update permissions to trusted users only. Employ web application firewalls (WAFs) with rules to detect and block malicious file uploads and suspicious script payloads. Conduct regular audits of uploaded files and monitor logs for unusual activity related to profile photo updates. Educate HR and IT staff about the risks of file upload vulnerabilities and encourage prompt reporting of suspicious behavior. Additionally, implement Content Security Policy (CSP) headers to mitigate the impact of potential XSS attacks by restricting script execution. Finally, ensure that all user input, including uploaded files, is sanitized and validated at multiple layers within the application.