{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40866", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.718Z", "datePublished": "2026-04-21T18:15:30.126Z", "dateUpdated": "2026-04-21T19:29:21.663Z"}, "containers": {"cna": {"title": "Horilla: Unauthorized Document Overwrite via File Upload Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-q2qh-v828-r4p7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-q2qh-v828-r4p7"}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"version": "1.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T18:15:30.126Z"}, "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee\u2019s document by changing the document ID in the upload request. This enables unauthorized modification of HR records."}], "source": {"advisory": "GHSA-q2qh-v828-r4p7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-q2qh-v828-r4p7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:28:57.107763Z", "id": "CVE-2026-40866", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:29:21.663Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40866", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T19:28:57.107763Z"}}}], "references": [{"url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-q2qh-v828-r4p7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:29:12.985Z"}}], "cna": {"title": "Horilla: Unauthorized Document Overwrite via File Upload Endpoint", "source": {"advisory": "GHSA-q2qh-v828-r4p7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"status": "affected", "version": "1.5.0"}]}], "references": [{"url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-q2qh-v828-r4p7", "name": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-q2qh-v828-r4p7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee\u2019s document by changing the document ID in the upload request. This enables unauthorized modification of HR records."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T18:15:30.126Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40866", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:29:21.663Z", "dateReserved": "2026-04-15T15:57:41.718Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T18:15:30.126Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to overwrite or replace or corrupt another employee\u2019s document by changing the document ID in the upload request. This enables unauthorized modification of HR records."}], "id": "CVE-2026-40866", "lastModified": "2026-04-21T20:17:00.093", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T19:16:18.170", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-q2qh-v828-r4p7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/horilla/horilla-hr/security/advisories/GHSA-q2qh-v828-r4p7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.5.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "horilla", "source": "cna", "vendor": "horilla-opensource"}, "product": "horilla", "vendor": "horilla"}], "analysis": {"en": {"generated_at": "2026-04-22T05:35:13.135946+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched version of Horilla that corrects the document ID validation or to any released update that removes the insecure direct object reference.", "If a patch is not yet available, enforce strict validation of document identifiers by checking that the ID belongs to the authenticated employee or that the employee has explicitly granted permission to modify that document.", "Enable detailed audit logging for document upload operations and regularly review logs for unexpected changes.", "Restrict user roles that have access to the upload endpoint to only those that truly require document uploads, applying the principle of least privilege to reduce the attack surface."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Document Overwrite"}, "threat_synthesis": {"affected_systems": "Affects the Horilla open\u2011source Human Resource Management System, specifically version 1.5.0. No other versions are listed in the advisory.", "description_and_impact": "The vulnerability is an insecure direct object reference in the employee document upload endpoint of the Horilla HRMS version 1.5.0. Any authenticated user can modify the document ID in the upload request and overwrite, replace, or corrupt another employee\u2019s file, enabling unauthorized changes to HR records. This flaw violates integrity and is an instance of broken access control (CWE\u2011284) and an authorization bypass (CWE\u2011639).", "risk_and_exploitability": "With a CVSS score of 8.6 the vulnerability presents high severity. While the EPSS score is not available and the flaw is not listed in KEV, the lack of these metrics does not diminish the threat. An attacker must first be authenticated and possess upload privileges, then can alter the destination document ID to target any employee, resulting in tampering of personnel records and potential compromise of confidentiality, integrity, and contractual obligations. Immediate remediation is recommended to prevent unauthorized document manipulation."}}}}, "created": "2026-04-22T05:45:09.821871+00:00", "updated": "2026-04-22T11:45:53.357652+00:00", "vendors": ["horilla", "horilla$PRODUCT$horilla"]}