CVE-2026-24034
MEDIUM WAF: Medium
CVSS 5.4
Published: 2026-01-22
CWE-434
Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue.
WAF Coverage Analysis
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| horilla | horilla | up to 1.5.0 |
References
- github.com (Release Notes)
- github.com (Exploit, Vendor Advisory)