EUVD-2026-24235CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose sensitive support files and internal documents across unrelated users or teams.
AnalysisAI
Broken access control in Horilla HRMS 1.5.0 helpdesk module allows any authenticated employee to view support ticket attachments belonging to other users by manipulating attachment IDs in URLs. This exposes confidential HR documents, employee grievances, and internal communications across organizational boundaries. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all Horilla HRMS 1.5.0 deployments and document current user access patterns to the helpdesk module. Within 7 days: Implement URL parameter validation and access logging for all attachment downloads; restrict helpdesk module access to authorized HR and support personnel only; review recent attachment access logs for unauthorized downloads. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today