CVE-2026-24039

MEDIUM

Horilla 1.4.0 - Privilege Escalation

Title source: llm

Description

Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/horilla-opensource/horilla/security/advisories/GHSA-99mq-mhwv-w9qx

Release Notes x_refsource_misc

https://github.com/horilla-opensource/horilla/releases/tag/1.5.0

Scores

CVSS v3 4.3

EPSS 0.0025

EPSS Percentile 15.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (1)

horilla/horilla 1.4.0

Published Jan 22, 2026

Tracked Since Feb 18, 2026