{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T10:03:00.467","vulnerabilities":[{"cve":{"id":"CVE-2026-24010","sourceIdentifier":"security-advisories@github.com","published":"2026-01-22T03:15:48.090","lastModified":"2026-01-29T20:00:49.013","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking \"Session Expired\" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue."},{"lang":"es","value":"Horilla es un Sistema de Gestión de Recursos Humanos (HRMS) de código abierto y gratuito. Una vulnerabilidad crítica de carga de archivos en versiones anteriores a la 1.5.0, con ingeniería social, permite a usuarios autenticados desplegar ataques de phishing. Al cargar un archivo HTML malicioso disfrazado como una imagen de perfil, un atacante puede crear una réplica convincente de página de inicio de sesión que roba credenciales de usuario. Cuando una víctima visita la URL del archivo cargado, ve un mensaje de 'Sesión Expirada' de aspecto auténtico que les solicita volver a autenticarse. Todas las credenciales introducidas son capturadas y enviadas al servidor del atacante, lo que permite la toma de control de cuentas. La versión 1.5.0 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H","baseScore":8.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.1,"impactScore":5.9}],"cvssMetricV30":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-474"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-434"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:*","versionEndExcluding":"1.5.0","matchCriteriaId":"57934F7E-B93F-40A5-9E9A-CB97D7568936"}]}]}],"references":[{"url":"https://github.com/horilla-opensource/horilla/releases/tag/1.5.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}