CVE-2025-48869
HIGHHorilla 1.3.0 - Unauthenticated Sensitive Information Exposure via Resume File URL
Title source: llmDescription
Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, allowing attackers to retrieve sensitive candidate information without authentication. At time of publication there is no known patch.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/horilla-opensource/horilla/security/advisories/GHSA-99h5-x29f-727w
Scores
CVSS v3
7.5
EPSS
0.0041
EPSS Percentile
32.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (1)
horilla/horilla
1.3
Published
Sep 24, 2025
Tracked Since
Feb 18, 2026