Which versions of Horilla HRMS are affected by CVE-2026-40865?

Horilla HRMS 1.5.0 contains an insecure direct object reference vulnerability that allows authenticated employees to access other employees' sensitive HR documents-including identity documents,…

How to fix or mitigate CVE-2026-40865?

Within 24 hours: Audit API access logs for document ID manipulation patterns and identify affected employees. Notify your Horilla vendor contact to confirm patch timeline for version 1.5.0 and request interim security guidance. Within 7 days: Implement network-level API request logging and consider rate-limiting or IP-based access controls on the document viewer API endpoint. Within 30 days: Deploy patched version of Horilla HRMS as soon as vendor release is available, or migrate to alternative HRMS if no patch timeline is provided by vendor.

Horilla HRMS CVE-2026-40865

Q: What is the CVSS score of CVE-2026-40865?

CVE-2026-40865 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-24231 HIGH

Improper Access Control (CWE-284)

2026-04-21 GitHub_M

Authentication Bypass Horilla

7.1

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 21:07 vuln.today

cvss_changed

Analysis Generated

Apr 21, 2026 - 19:47 vuln.today

CVSS changed

Apr 21, 2026 - 19:22 NVD

7.1 (HIGH)

EUVD ID Assigned

Apr 21, 2026 - 19:00 euvd

EUVD-2026-24231

Analysis Generated

Apr 21, 2026 - 19:00 vuln.today

CVE Published

Apr 21, 2026 - 18:14 nvd

HIGH 7.1

DescriptionGitHub Advisory

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This exposes sensitive HR files such as identity documents, contracts, certificates, and other private employee records.

AnalysisAI

Insecure direct object reference in Horilla HRMS 1.5.0 employee document viewer allows authenticated users to access other employees' sensitive HR files by manipulating document IDs in API requests. Successful exploitation exposes identity documents, employment contracts, certificates, and other confidential employee records. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate with employee credentials

Delivery

Access document viewer feature

Exploit

Capture document request with ID parameter

Execution

Modify ID to enumerate other documents

Impact

Download sensitive employee files