CVE-2026-24036

{"id": "CVE-2026-24036", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-24036", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T12:37:27.246887Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"status": "affected", "version": ">= 1.4.0, < 1.5.0"}]}]}], "published": "2026-01-22T04:15:59.597", "references": [{"url": "https://github.com/horilla-opensource/horilla/commit/9a585a1588431499092a49d7e82cb77daa4d99ee", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-q4xr-w96p-3vg7", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0."}, {"lang": "es", "value": "Horilla es un Sistema de Gesti\u00f3n de Recursos Humanos (HRMS) de c\u00f3digo abierto y gratuito. Las versiones 1.4.0 y superiores exponen ofertas de empleo no publicadas a trav\u00e9s del endpoint /recruitment/recruitment-details// sin autenticaci\u00f3n. La respuesta incluye t\u00edtulos de puestos de trabajo en borrador, descripciones y un enlace de solicitud, lo que permite a los usuarios no autenticados ver roles no publicados y acceder al flujo de trabajo de solicitud para trabajos no publicados. El acceso no autorizado a las ofertas de empleo no publicadas puede filtrar informaci\u00f3n interna de contrataci\u00f3n sensible y causar confusi\u00f3n entre los candidatos. Este problema ha sido solucionado en la versi\u00f3n 1.5.0."}], "lastModified": "2026-06-17T10:22:29.973", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:horilla:horilla:1.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55143854-C369-4CAA-B671-90EFC9170F64"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}