← Back to CVEs
CVE-2026-24036
MEDIUM5.3
Description
Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0.
CVE Details
CVSS v3.1 Score5.3
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published1/22/2026
Last Modified1/29/2026
Sourcenvd
Honeypot Sightings0
Affected Products
horilla:horilla
Weaknesses (CWE)
CWE-284
References
https://github.com/horilla-opensource/horilla/commit/9a585a1588431499092a49d7e82cb77daa4d99ee(security-advisories@github.com)
https://github.com/horilla-opensource/horilla/releases/tag/1.5.0(security-advisories@github.com)
https://github.com/horilla-opensource/horilla/security/advisories/GHSA-q4xr-w96p-3vg7(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.