Platform
php
Component
horilla-hr
Fixed in
1.5.1
CVE-2026-40866 describes an Unrestricted File Upload vulnerability affecting Horilla HRMS versions 1.5.0 through 1.5.0. An attacker can exploit this flaw to overwrite or replace employee documents by manipulating the document ID in the upload request. This unauthorized modification poses a risk to the integrity of sensitive HR data, and a fix is pending release from the vendor.
The primary impact of CVE-2026-40866 is the potential for unauthorized modification of employee records within the Horilla HRMS system. An authenticated attacker, possessing valid login credentials, can leverage this vulnerability to upload malicious files disguised as legitimate employee documents. This could lead to data corruption, the introduction of malware, or the exfiltration of sensitive information contained within the HR records. The blast radius extends to all employee records accessible to the attacker's account, potentially impacting the entire organization's HR data integrity.
CVE-2026-40866 was publicly disclosed on 2026-04-21. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. Monitor security advisories and vendor updates for further information and potential exploitation attempts.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
As a direct patch is not yet available, immediate mitigation focuses on limiting the potential impact. Implement strict access controls within Horilla HRMS, restricting document upload privileges to authorized personnel only. Regularly audit user permissions and activity logs for suspicious behavior. Consider implementing a Web Application Firewall (WAF) with rules to block file uploads with potentially malicious extensions or unusual content types. Thoroughly validate all uploaded files on the server-side to prevent the execution of malicious code. After a patch is released, upgrade Horilla HRMS to the fixed version and verify the integrity of all employee documents.
Update to a patched version of Horilla HRMS. The vulnerability will be fixed in a future release. Check the GitHub repository for more details and updates on the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40866 is a vulnerability in Horilla HRMS versions 1.5.0–1.5.0 that allows authenticated users to overwrite employee documents, potentially corrupting HR records.
If you are running Horilla HRMS version 1.5.0, you are potentially affected by this vulnerability. Monitor vendor advisories for updates.
A patch is pending release. Until then, implement access controls, WAF rules, and file validation to mitigate the risk. Upgrade to the patched version as soon as it becomes available.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and should be addressed promptly.
Refer to the Horilla project website and security mailing lists for official advisories and updates regarding CVE-2026-40866.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.