Stored XSS Vulnerability in Horilla HRM by Horilla
CVE-2025-48867

4.8MEDIUM

Key Information:

Vendor: Horilla-opensource
Status: Horilla
Vendor: CVE Published:; 24 September 2025

🔔 Create Horilla-opensource Vulnerability Alert

What is CVE-2025-48867?

A stored cross-site scripting vulnerability in Horilla HRM version 1.3.0 allows authenticated administrators or privileged users to inject malicious JavaScript payloads into various fields of the Project and Task modules. These harmful scripts persist in the database and execute whenever the affected pages are accessed by users with high privileges. Although unauthenticated users cannot exploit this vulnerability, it represents a significant threat, enabling potential session hijacking and unauthorized actions within high-privilege accounts. At this time, there is no known patch available.

Affected Version(s)

horilla = 1.3.0

References

https://github.com/horilla-opensource/horilla/security/ad...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 24, 2025
Vulnerability Reserved
May 27, 2025

JSON