CVE-2025-48867
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-24

Last updated on: 2025-09-29

Assigner: GitHub, Inc.

Description
Horilla is a free and open source Human Resource Management System (HRMS). A stored cross-site scripting (XSS) vulnerability in Horilla HRM 1.3.0 allows authenticated admin or privileged users to inject malicious JavaScript payloads into multiple fields in the Project and Task modules. These payloads persist in the database and are executed when viewed by an admin or other privileged users through the web interface. Although the issue is not exploitable by unauthenticated users, it still poses a high risk of session hijacking and unauthorized action within high-privilege accounts. At time of publication there is no known patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-24
Last Modified
2025-09-29
Generated
2026-06-16
AI Q&A
2025-09-24
EPSS Evaluated
2026-06-14
NVD
CVE-2025-48867
EUVD
EUVD-2025-31024
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
horilla horilla 1.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in Horilla HRM 1.3.0. Authenticated admin or privileged users can inject malicious JavaScript code into multiple fields in the Project and Task modules. The injected code is saved in the database and executed when viewed by other admins or privileged users through the web interface.

Impact Analysis

The vulnerability can lead to session hijacking and unauthorized actions within high-privilege accounts. Since the malicious scripts execute in the context of privileged users, attackers can potentially take over admin sessions or perform unauthorized operations, compromising the security of the HRMS.

Mitigation Strategies

Since there is no known patch available at the time of publication, immediate mitigation steps include restricting access to the Project and Task modules to only trusted and necessary privileged users, avoiding the input of untrusted data into these fields, and monitoring for suspicious activity by privileged users. Additionally, educating admin users about the risk of stored XSS and encouraging them to avoid clicking on suspicious links or inputs within the HRM interface can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-48867. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart