Platform
other
Component
horilla
Fixed in
1.4.1
CVE-2025-59832 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Horilla HRMS, a free and open-source Human Resource Management System. This vulnerability allows a low-privilege authenticated user to inject malicious JavaScript code into the ticket comment editor, potentially leading to session hijacking and unauthorized access. Versions of Horilla HRMS prior to 1.4.0 are affected, and a patch is available in version 1.4.0.
The impact of this XSS vulnerability is significant. A successful attacker can inject arbitrary JavaScript code into the ticket comment editor, which will be executed in the context of any administrator viewing the comment. This allows the attacker to steal the administrator's session cookies or CSRF tokens, effectively hijacking their account. With control of the administrator's account, an attacker could perform any action within the HRMS, including accessing sensitive employee data, modifying records, or even compromising the entire system. This vulnerability is particularly concerning given the sensitive nature of HR data and the potential for widespread impact.
CVE-2025-59832 was publicly disclosed on 2025-09-25. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's ease of exploitation suggests a potential for rapid exploitation. The CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59832 is to upgrade Horilla HRMS to version 1.4.0 or later, which includes the necessary patch. If upgrading immediately is not possible, consider implementing stricter input validation and output encoding on the ticket comment editor to prevent the injection of malicious scripts. While not a complete solution, a Web Application Firewall (WAF) configured to block XSS payloads targeting the comment editor can provide an additional layer of defense. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a ticket comment and confirming that it is not executed.
Update Horilla HRMS to version 1.4.0 or higher. This version contains a fix for the stored XSS vulnerability in the ticket comment section. The update will mitigate the risk of malicious users executing arbitrary JavaScript in an administrator’s browser.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59832 is a critical stored XSS vulnerability in Horilla HRMS versions before 1.4.0. It allows authenticated users to inject JavaScript code, potentially hijacking administrator sessions.
You are affected if you are using Horilla HRMS version 1.4.0 or earlier. Upgrade to 1.4.0 to resolve the vulnerability.
Upgrade Horilla HRMS to version 1.4.0 or later. As a temporary workaround, implement stricter input validation and output encoding on the ticket comment editor.
While no active exploitation has been confirmed, the vulnerability's criticality and ease of exploitation suggest a potential for rapid exploitation.
Refer to the official Horilla HRMS website or GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.