CVE-2026-10624

The vulnerability affects SourceCodester Human Resource Management 1.0, in the Employee View Page’s detailview.php. Manipulating the employeeid parameter leads to improper control of resource identifiers (an IDOR-style issue). Exploitation can be performed remotely, and public disclosure of the e...

EUVD-2026-34024

A vulnerability has been found in SourceCodester Human Resource Management 1.0. Affected by this vulnerability is an unknown functionality of the file /detailview.php of the component Employee View Page. Such manipulation of the argument employeeid leads to improper control of resource identifier...

CVE-2026-10624 SourceCodester Human Resource Management Employee View detailview.php resource injection

A vulnerability has been found in SourceCodester Human Resource Management 1.0. Affected by this vulnerability is an unknown functionality of the file /detailview.php of the component Employee View Page. Such manipulation of the argument employeeid leads to improper control of resource identifier...

CVE-2026-10624

A vulnerability has been found in SourceCodester Human Resource Management 1.0. Affected by this vulnerability is an unknown functionality of the file /detailview.php of the component Employee View Page. Such manipulation of the argument employeeid leads to improper control of resource identifier...

CVE-2026-27351

Missing Authorization vulnerability in Sekander Badsha Crew HRM allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crew HRM: from n/a through 1.2.2...

PT-2026-45853

Name of the Vulnerable Software and Affected Versions SourceCodester Human Resource Management version 1.0 Description An issue exists in the Employee View Page component within the '/detailview.php' endpoint. Remote manipulation of the employeeid argument leads to improper control of resource...

CVE-2026-40865

Horilla is a free and open source Human Resource Management System HRMS. In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This exposes sensitive HR...

CVE-2026-24035

Horilla is a free and open source Human Resource Management System HRMS. An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without prope...

EUVD-2026-4220

Horilla is a free and open source Human Resource Management System HRMS. Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only;...

CVE-2026-24039

Horilla HRMS (v1.4.0) contains an improper access-control flaw on the document-approval endpoint, allowing low-privilege users to self-approve their own uploaded documents. This weak server-side authorization check enables employees to alter admin-reserved state. The issue is fixed in v1.5.0. Aff...

CVE-2026-24038

Horilla is a free and open source Human Resource Management System HRMS. In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP i...

EUVD-2026-4218

Horilla is a free and open source Human Resource Management System HRMS. In version 1.4.0, the hasxss function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to...

CVE-2026-24036 Horilla Exposes Unpublished Job Disclosures through Unauthenticated API

Horilla is a free and open source Human Resource Management System HRMS. Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing...

CVE-2026-24034 Horilla has File Upload XSS

Horilla is a free and open source Human Resource Management System HRMS. In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue...

CVE-2026-24010 Horilla has HTML Injection Issue that, with Phishing, Leads to Account Takeover

Horilla is a free and open source Human Resource Management System HRMS. A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker...

PT-2026-3914

Name of the Vulnerable Software and Affected Versions Horilla version 1.4.0 Description Horilla, a Human Resource Management System HRMS, contains a flaw in its two-factor authentication implementation. Specifically, the OTP handling logic has a flawed equality check. When an OTP expires, the...

CVE-2024-34222

Sourcecodester Human Resource Management System 1.0 is vulnerable to SQL Injection via the searccountry parameter...

CVE-2024-34223

Insecure permission vulnerability in /hrm/leaverequest.php in SourceCodester Human Resource Management System 1.0 allow attackers to approve or reject leave ticket...

CVE-2025-13420

A weakness has been identified in itsourcecode Human Resource Management System 1.0. This issue affects some unknown processing of the file /src/store/EventStore.php. This manipulation of the argument eventSubject causes sql injection. The attack can be initiated remotely. The exploit has been ma...

CVE-2025-13421

A security vulnerability has been detected in itsourcecode Human Resource Management System 1.0. Impacted is an unknown function of the file /src/store/NoticeStore.php. Such manipulation of the argument noticeDesc leads to sql injection. The attack can be launched remotely. The exploit has been...