216.73.216.170

CVE-2026-24038

· Published 22/01/2026 04:15 · Modified 22/01/2026 04:15

Labels: CVE-2026-24038 2026-01-22CVE-2026-24038CWE-287[email protected]

Essential information

Published
22/01/2026 04:15
Modified
22/01/2026 04:15
Author
Creator
CVSS
8.1 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS metrics

Description

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
horilla / hrms cpe:2.3:a:horilla:hrms:1.4.0:*:*:*:*:*:*:*
horilla / hrms cpe:2.3:a:horilla:hrms:1.5.0:*:*:*:*:*:*:*

References