Which versions of Horilla HRMS are affected by CVE-2026-40866?

Horilla HRMS 1.5.0 contains an authentication bypass vulnerability that allows authenticated low-privilege employees to modify or corrupt HR documents belonging to any other employee, including…

How to fix or mitigate CVE-2026-40866?

Within 24 hours: Disable or restrict access to the document upload endpoint in Horilla HRMS 1.5.0 until patched; audit all document modifications in the past 30 days for unauthorized changes. Within 7 days: Evaluate upgrade options to a patched version of Horilla HRMS or implement compensating access controls limiting document upload privileges to HR administrators only. Within 30 days: Complete migration to a patched Horilla HRMS version or deploy a reverse-proxy rule enforcing document ownership validation on all upload requests.

Horilla HRMS CVE-2026-40866

Q: What is the CVSS score of CVE-2026-40866?

CVE-2026-40866 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-24234 HIGH

Improper Access Control (CWE-284)

2026-04-21 GitHub_M

Authentication Bypass Horilla

8.6

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.6 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 21, 2026 - 20:22 vuln.today

cvss_changed

Analysis Generated

Apr 21, 2026 - 19:47 vuln.today

CVSS changed

Apr 21, 2026 - 19:22 NVD

8.6 (HIGH)

EUVD ID Assigned

Apr 21, 2026 - 19:00 euvd

EUVD-2026-24234

Analysis Generated

Apr 21, 2026 - 19:00 vuln.today

CVE Published

Apr 21, 2026 - 18:15 nvd

HIGH 8.6

DescriptionGitHub Advisory

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the document ID in the upload request. This enables unauthorized modification of HR records.

AnalysisAI

Authenticated users in Horilla HRMS 1.5.0 can overwrite or corrupt any employee's documents via insecure direct object reference (IDOR) in the document upload endpoint. By manipulating the document ID parameter in upload requests, attackers with low-level access can modify HR records belonging to other employees, including executives or administrators. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as low-privilege user

Delivery

Access document upload endpoint

Exploit

Enumerate target document IDs

Execution

Modify document_id parameter in upload request

Persist

Submit malicious file

Impact

Overwrite victim's HR document