Auth bypass in Horilla-opensource Horilla
CVE-2026-40867
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing t…
EPSS: 0.001 (15.8th percentile) — read the EPSS interpretation.
Affected products
- Horilla-opensource Horilla — versions 1.5.0
Weakness classification (CWE)
References
- https://github.com/horilla/horilla-hr/security/advisories/GHSA-j6qp-j853-qrff (x_refsource_CONFIRM)