CVE-2025-59525
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-24

Last updated on: 2025-09-29

Assigner: GitHub, Inc.

Description
Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-24
Last Modified
2025-09-29
Generated
2026-06-16
AI Q&A
2025-09-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59525
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
horilla horilla to 1.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Horilla HRMS prior to version 1.4.0 is caused by improper sanitization of uploaded SVG files and allowed <embed> elements. This flaw allows attackers to inject malicious JavaScript code (cross-site scripting or XSS) that executes when users view affected content, such as announcements. The XSS can be chained to take over administrator accounts.

Impact Analysis

The vulnerability can lead to an attacker executing arbitrary JavaScript in the context of the HRMS application, potentially resulting in the takeover of administrator accounts. This could allow unauthorized access to sensitive HR data, manipulation of system settings, or other malicious actions within the application.

Mitigation Strategies

Upgrade Horilla to version 1.4.0 or later, as this version contains the patch that fixes the improper sanitization allowing XSS via uploaded SVG and <embed> elements. Until the upgrade can be performed, avoid uploading SVG files and restrict user access to content that may contain embedded SVG or <embed> elements to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart