CVE-2026-24010 - Horilla has HTML Injection Issue that, with Phishing, Leads to Account Takeover

CVE ID : CVE-2026-24010 Published : Jan. 22, 2026, 3:15 a.m. | 30 minutes ago Description : Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking