{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-23T01:19:34.233","vulnerabilities":[{"cve":{"id":"CVE-2025-48867","sourceIdentifier":"security-advisories@github.com","published":"2025-09-24T18:15:37.510","lastModified":"2025-09-29T14:06:04.530","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Horilla is a free and open source Human Resource Management System (HRMS). A stored cross-site scripting (XSS) vulnerability in Horilla HRM 1.3.0 allows authenticated admin or privileged users to inject malicious JavaScript payloads into multiple fields in the Project and Task modules. These payloads persist in the database and are executed when viewed by an admin or other privileged users through the web interface. Although the issue is not exploitable by unauthenticated users, it still poses a high risk of session hijacking and unauthorized action within high-privilege accounts. At time of publication there is no known patch."},{"lang":"es","value":"Horilla es un Sistema de Gestión de Recursos Humanos (HRMS) gratuito y de código abierto. Una vulnerabilidad de cross-site scripting (XSS) almacenado en Horilla HRM 1.3.0 permite a usuarios administradores o privilegiados autenticados inyectar cargas útiles de JavaScript maliciosas en múltiples campos en los módulos de Proyecto y Tarea. Estas cargas útiles persisten en la base de datos y se ejecutan cuando son vistas por un administrador u otros usuarios privilegiados a través de la interfaz web. Aunque el problema no es explotable por usuarios no autenticados, aún representa un alto riesgo de secuestro de sesión y acción no autorizada dentro de cuentas de alto privilegio. Al momento de la publicación no existe un parche conocido."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:horilla:horilla:1.3:*:*:*:*:*:*:*","matchCriteriaId":"FB689BA6-40B8-4E5F-AEB4-6DCB6C76A651"}]}]}],"references":[{"url":"https://github.com/horilla-opensource/horilla/security/advisories/GHSA-w242-xv47-j55r","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}