Description

Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) vulnerability exists in Horilla 1.3.0 due to the unsafe use of Python’s eval() function on a user-controlled query parameter in the project_bulk_archive view. This allows privileged users (e.g., administrators) to execute arbitrary system commands on the server. While having Django’s DEBUG=True makes exploitation visibly easier by returning command output in the HTTP response, this is not required. The vulnerability can still be exploited in DEBUG=False mode by using blind payloads such as a reverse shell, leading to full remote code execution. This issue has been patched in version 1.3.1.

INFO

Published Date :

2025-09-24T13:51:04.834Z

Last Modified :

2025-09-24T18:45:55.219Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-48868 vulnerability.

Vendors Products
Horilla
  • Horilla
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-48868.

URL Resource
https://drive.google.com/file/d/1XQAJilt77QxkjGEa94CsZRqZIZXa3ET9/view?usp=sharing cve-icon cve-icon
https://drive.google.com/file/d/1hnI9AK3fnpVrTlTRF7aRJsKhZCDIm2Ve/view?usp=sharing cve-icon cve-icon
https://github.com/horilla-opensource/horilla/commit/b0aab62b3a5fe6b7114b5c58db129b3744b4d8cc cve-icon cve-icon
https://github.com/horilla-opensource/horilla/security/advisories/GHSA-h6qj-pwmx-wjhw cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact