EUVD-2026-24234CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee’s document by changing the document ID in the upload request. This enables unauthorized modification of HR records.
AnalysisAI
Authenticated users in Horilla HRMS 1.5.0 can overwrite or corrupt any employee's documents via insecure direct object reference (IDOR) in the document upload endpoint. By manipulating the document ID parameter in upload requests, attackers with low-level access can modify HR records belonging to other employees, including executives or administrators. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Disable or restrict access to the document upload endpoint in Horilla HRMS 1.5.0 until patched; audit all document modifications in the past 30 days for unauthorized changes. Within 7 days: Evaluate upgrade options to a patched version of Horilla HRMS or implement compensating access controls limiting document upload privileges to HR administrators only. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today