CVE-2026-24037 is a cross-site scripting (XSS) vulnerability identified in Horilla, a free and open-source Human Resource Management System (HRMS). The vulnerability exists in version 1.4.0 where the has_xss() function attempts to prevent XSS attacks by matching user input against a set of regular expressions. However, these regex patterns are incomplete and do not consider the context in which the input is used, making them ineffective against sophisticated XSS payloads. As a result, attackers can inject malicious JavaScript code into web pages generated by Horilla. This enables several attack vectors including redirecting users to malicious websites, executing arbitrary scripts in the context of the victim’s browser, and stealing Cross-Site Request Forgery (CSRF) tokens. The stolen CSRF tokens can then be used to perform unauthorized actions on behalf of administrative users, potentially compromising the integrity of the HRMS data. The vulnerability requires the attacker to have high privileges (PR:H) and user interaction (UI:R), such as tricking a user into clicking a crafted link or submitting malicious input. The scope is changed (S:C) indicating the vulnerability can affect resources beyond the initially vulnerable component. The CVSS v3.1 base score is 4.8 (medium severity), reflecting limited confidentiality and integrity impact, no availability impact, and moderate exploit complexity. The issue was publicly disclosed on January 22, 2026, and fixed in Horilla version 1.5.0. No known exploits are currently reported in the wild.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Horilla for managing sensitive HR data. Successful exploitation could lead to unauthorized disclosure of sensitive employee information, manipulation of HR records, and unauthorized administrative actions via CSRF attacks. This can undermine trust in HR systems and lead to regulatory compliance issues under GDPR due to potential data breaches. The ability to redirect users to malicious domains also increases the risk of phishing and malware infections within corporate networks. Although the vulnerability requires high privileges and user interaction, insider threats or compromised accounts could be leveraged to exploit this flaw. The lack of availability impact means service disruption is unlikely, but confidentiality and integrity risks remain notable. Organizations with exposed HRMS web interfaces or those lacking robust input validation and security controls are particularly vulnerable.

The primary mitigation is to upgrade Horilla installations to version 1.5.0 or later, where the vulnerability has been fixed. Organizations should audit their HRMS deployments to identify any instances running vulnerable versions. In addition to patching, implement strict input validation and sanitization tailored to the context of input usage rather than relying solely on regex-based filters. Deploy Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Employ multi-factor authentication and strict access controls to limit the risk posed by compromised privileged accounts. Conduct security awareness training to reduce the likelihood of successful social engineering or phishing attempts that could trigger user interaction exploitation. Regularly monitor logs and web traffic for suspicious activities indicative of attempted XSS or CSRF attacks. Finally, consider using web application firewalls (WAFs) with updated signatures to detect and block malicious payloads targeting this vulnerability.