CVE-2026-24037: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in horilla-opensource horilla
CVE-2026-24037 is a medium-severity cross-site scripting (XSS) vulnerability in Horilla, an open-source Human Resource Management System (HRMS), affecting versions 1. 4. 0 up to but not including 1. 5. 0. The vulnerability arises from an incomplete and context-agnostic input filtering function (has_xss()) that fails to properly neutralize malicious input. Exploitation allows attackers to execute arbitrary JavaScript, redirect users to malicious domains, and steal CSRF tokens, enabling further attacks against administrative users. The flaw requires attacker authentication and user interaction but can lead to compromised confidentiality and integrity of sensitive HR data. No known exploits are currently reported in the wild, and the issue was fixed in version 1. 5.
AI Analysis
Technical Summary
CVE-2026-24037 is a cross-site scripting (XSS) vulnerability identified in Horilla, a free and open-source Human Resource Management System (HRMS). The vulnerability exists in version 1.4.0 due to the has_xss() function, which attempts to prevent XSS attacks by matching input against a set of regular expressions. However, these regex patterns are incomplete and do not consider the context in which input is used, making them ineffective at fully neutralizing malicious scripts. This flaw allows attackers who have authenticated access to inject malicious JavaScript code into web pages. The injected scripts can redirect users to attacker-controlled domains, execute arbitrary external JavaScript, and steal Cross-Site Request Forgery (CSRF) tokens. These stolen tokens can be leveraged to perform CSRF attacks against administrative users, potentially leading to unauthorized actions within the HRMS. The vulnerability affects versions from 1.4.0 up to but not including 1.5.0, where the issue has been addressed. The CVSS v3.1 base score is 4.8 (medium), reflecting that exploitation requires low complexity but does require privileges and user interaction. No known exploits have been reported in the wild, but the potential impact on confidentiality and integrity of sensitive HR data is significant. The vulnerability highlights the risks of relying solely on regex-based input filtering without context-aware sanitization in web applications.
Potential Impact
For European organizations, this vulnerability poses a risk to the confidentiality and integrity of sensitive employee data managed within the Horilla HRMS. Successful exploitation could lead to theft of session tokens and unauthorized administrative actions, potentially exposing personal data protected under GDPR. The ability to redirect users to malicious domains also increases the risk of phishing and further malware infections. While availability is not directly impacted, the reputational damage and regulatory consequences from data breaches could be severe. Organizations with HR departments using affected Horilla versions may face increased risk of targeted attacks, especially in sectors with high-value personnel data such as finance, healthcare, and government. The requirement for attacker authentication and user interaction somewhat limits the attack surface but does not eliminate risk, particularly if internal users are compromised or social engineering is employed.
Mitigation Recommendations
European organizations should immediately upgrade Horilla installations to version 1.5.0 or later, where the vulnerability is fixed. In addition, implement context-aware input validation and output encoding to prevent XSS beyond relying on regex filters. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce impact of potential XSS. Monitor logs for unusual redirects or script injection attempts and conduct regular security audits of HRMS configurations. Limit user privileges to the minimum necessary to reduce the risk from compromised accounts. Educate users about phishing and social engineering risks that could facilitate exploitation. If upgrading is not immediately possible, consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting Horilla. Regularly review and update CSRF protections to ensure tokens cannot be easily stolen or reused.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2026-24037: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in horilla-opensource horilla
Description
CVE-2026-24037 is a medium-severity cross-site scripting (XSS) vulnerability in Horilla, an open-source Human Resource Management System (HRMS), affecting versions 1. 4. 0 up to but not including 1. 5. 0. The vulnerability arises from an incomplete and context-agnostic input filtering function (has_xss()) that fails to properly neutralize malicious input. Exploitation allows attackers to execute arbitrary JavaScript, redirect users to malicious domains, and steal CSRF tokens, enabling further attacks against administrative users. The flaw requires attacker authentication and user interaction but can lead to compromised confidentiality and integrity of sensitive HR data. No known exploits are currently reported in the wild, and the issue was fixed in version 1. 5.
AI-Powered Analysis
Technical Analysis
CVE-2026-24037 is a cross-site scripting (XSS) vulnerability identified in Horilla, a free and open-source Human Resource Management System (HRMS). The vulnerability exists in version 1.4.0 due to the has_xss() function, which attempts to prevent XSS attacks by matching input against a set of regular expressions. However, these regex patterns are incomplete and do not consider the context in which input is used, making them ineffective at fully neutralizing malicious scripts. This flaw allows attackers who have authenticated access to inject malicious JavaScript code into web pages. The injected scripts can redirect users to attacker-controlled domains, execute arbitrary external JavaScript, and steal Cross-Site Request Forgery (CSRF) tokens. These stolen tokens can be leveraged to perform CSRF attacks against administrative users, potentially leading to unauthorized actions within the HRMS. The vulnerability affects versions from 1.4.0 up to but not including 1.5.0, where the issue has been addressed. The CVSS v3.1 base score is 4.8 (medium), reflecting that exploitation requires low complexity but does require privileges and user interaction. No known exploits have been reported in the wild, but the potential impact on confidentiality and integrity of sensitive HR data is significant. The vulnerability highlights the risks of relying solely on regex-based input filtering without context-aware sanitization in web applications.
Potential Impact
For European organizations, this vulnerability poses a risk to the confidentiality and integrity of sensitive employee data managed within the Horilla HRMS. Successful exploitation could lead to theft of session tokens and unauthorized administrative actions, potentially exposing personal data protected under GDPR. The ability to redirect users to malicious domains also increases the risk of phishing and further malware infections. While availability is not directly impacted, the reputational damage and regulatory consequences from data breaches could be severe. Organizations with HR departments using affected Horilla versions may face increased risk of targeted attacks, especially in sectors with high-value personnel data such as finance, healthcare, and government. The requirement for attacker authentication and user interaction somewhat limits the attack surface but does not eliminate risk, particularly if internal users are compromised or social engineering is employed.
Mitigation Recommendations
European organizations should immediately upgrade Horilla installations to version 1.5.0 or later, where the vulnerability is fixed. In addition, implement context-aware input validation and output encoding to prevent XSS beyond relying on regex filters. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and reduce impact of potential XSS. Monitor logs for unusual redirects or script injection attempts and conduct regular security audits of HRMS configurations. Limit user privileges to the minimum necessary to reduce the risk from compromised accounts. Educate users about phishing and social engineering risks that could facilitate exploitation. If upgrading is not immediately possible, consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting Horilla. Regularly review and update CSRF protections to ensure tokens cannot be easily stolen or reused.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-20T22:30:11.776Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6971a2234623b1157c336470
Added to database: 1/22/2026, 4:05:55 AM
Last enriched: 1/22/2026, 4:21:24 AM
Last updated: 1/22/2026, 6:19:29 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2024-23807: CWE-416 Use After Free in Apache Software Foundation Apache Xerces C++
HighCVE-2026-24049: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in pypa wheel
HighCVE-2026-24042: CWE-862: Missing Authorization in appsmithorg appsmith
CriticalCVE-2026-24039: CWE-284: Improper Access Control in horilla-opensource horilla
MediumCVE-2026-24038: CWE-287: Improper Authentication in horilla-opensource horilla
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.