CVE-2026-24034
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-01-29

Assigner: GitHub, Inc.

Description
Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24034
EUVD
EUVD-2026-4214
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
horilla horilla to 1.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue in the Horilla HRMS software versions prior to 1.5.0. It occurs because the system does not validate the file extension or content-type when users update their profile photos. This allows an attacker to upload malicious files, such as HTML files containing JavaScript, which can then execute scripts in the victim's browser context. [1]

Impact Analysis

The vulnerability can allow attackers to execute arbitrary scripts in the context of a victim's browser. This can lead to theft of cookies and compromise of confidentiality. The impact includes limited data exposure and limited data modification, but no impact on service availability. The attack can be performed remotely with low complexity and minimal privileges, without requiring user interaction. [1]

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the profile photo update endpoint for uploads of files with suspicious extensions such as .html or content-types like text/html instead of expected image types. For example, you can use network traffic inspection tools like tcpdump or Wireshark to filter HTTP POST requests containing 'Content-Type: text/html' or filenames ending with .html. A sample tcpdump command to capture such traffic might be: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Content-Type: text/html' or grep for filenames with .html in the POST data. Additionally, reviewing server logs for profile photo upload requests with unusual file extensions can help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Horilla to version 1.5.0 or later, where this vulnerability is fixed by validating file extensions and content-types during profile photo uploads. Until the upgrade is possible, implement strict server-side validation to reject uploads with dangerous file types such as .html and enforce content-type checks to allow only legitimate image formats. Additionally, consider applying web application firewall (WAF) rules to block suspicious upload attempts and monitor for exploitation activity. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24034. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart