Insecure Direct Object Reference in Horilla Human Resource Management System
CVE-2026-40866

8.6HIGH

Key Information:

Vendor: Horilla-opensource
Status: Horilla
Vendor: CVE Published:; 21 April 2026

🔔 Create Horilla-opensource Vulnerability Alert

What is CVE-2026-40866?

Horilla's Human Resource Management System version 1.5.0 contains a vulnerability that allows authenticated users to manipulate the employee document upload feature. By altering the document ID in upload requests, users can overwrite or corrupt another employee's documents. This flaw presents significant risks for unauthorized modification of sensitive HR records, potentially leading to data integrity issues.

Affected Version(s)

horilla 1.5.0

References

https://github.com/horilla/horilla-hr/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40866 Data

JSON