{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40865", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.718Z", "datePublished": "2026-04-21T18:14:19.523Z", "dateUpdated": "2026-04-21T18:45:50.143Z"}, "containers": {"cna": {"title": "Horilla: Insecure Direct Object Reference at `/employee/view-file/<int:id>", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-85cj-fwjh-fjv7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-85cj-fwjh-fjv7"}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"version": "1.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T18:14:19.523Z"}, "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees\u2019 uploaded documents by changing the document ID in the request. This exposes sensitive HR files such as identity documents, contracts, certificates, and other private employee records."}], "source": {"advisory": "GHSA-85cj-fwjh-fjv7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-85cj-fwjh-fjv7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T18:45:44.870751Z", "id": "CVE-2026-40865", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:45:50.143Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40865", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T18:45:44.870751Z"}}}], "references": [{"url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-85cj-fwjh-fjv7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:45:35.731Z"}}], "cna": {"title": "Horilla: Insecure Direct Object Reference at `/employee/view-file/<int:id>", "source": {"advisory": "GHSA-85cj-fwjh-fjv7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"status": "affected", "version": "1.5.0"}]}], "references": [{"url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-85cj-fwjh-fjv7", "name": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-85cj-fwjh-fjv7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees\u2019 uploaded documents by changing the document ID in the request. This exposes sensitive HR files such as identity documents, contracts, certificates, and other private employee records."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T18:14:19.523Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40865", "state": "PUBLISHED", "dateUpdated": "2026-04-21T18:45:50.143Z", "dateReserved": "2026-04-15T15:57:41.718Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T18:14:19.523Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees\u2019 uploaded documents by changing the document ID in the request. This exposes sensitive HR files such as identity documents, contracts, certificates, and other private employee records."}], "id": "CVE-2026-40865", "lastModified": "2026-04-21T19:16:18.017", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T19:16:18.017", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-85cj-fwjh-fjv7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-85cj-fwjh-fjv7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.5.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "horilla", "source": "cna", "vendor": "horilla-opensource"}, "product": "horilla", "vendor": "horilla"}], "analysis": {"en": {"generated_at": "2026-04-22T05:35:26.124837+00:00", "value": {"mitigation_remediation": ["Apply the latest Horilla release that contains the IDR fix or apply the vendor patch if available. ", "Restrict access to the document viewer to users with HR or administrative roles, ensuring that only authorized personnel can request document ids. ", "Implement server\u2011side validation that checks the requesting user\u2019s permissions against the employee record before returning the file."], "summary": {"action": "Patch", "impact": "Unauthorized File Access"}, "threat_synthesis": {"affected_systems": "The affected product is the open\u2011source Human Resource Management System Horilla, version 1.5.0. Users running this exact version of the software are vulnerable; all newer releases that have applied the fix are not affected.", "description_and_impact": "An insecure direct object reference in Horilla\u2019s employee document viewer allows any authenticated user to change a numeric document identifier in the URL and obtain access to other employees\u2019 confidential files, including identity documents, contracts, and certificates. This weakness is aligned with CWE-284, illustrating erroneous permission assignment, and CWE-639, reflecting authorization bypass through user\u2011controlled input. The exposed data could lead to identity theft, privacy violations, and compromise of sensitive corporate records if accessed by malicious actors.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a moderate to high severity. Because the vulnerability requires authentication, an attacker must possess valid user credentials or gain access through other means before exploitation can occur. Current EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. Nonetheless, any organization that stores sensitive employee records should consider the risk of internal misuse or credential compromise."}}}}, "created": "2026-04-22T05:45:09.822136+00:00", "updated": "2026-04-22T11:45:54.459330+00:00", "vendors": ["horilla", "horilla$PRODUCT$horilla"]}