CVE-2026-41513

UNKNOWN 0.0

Horilla: Open Redirect via Unvalidated `next` Parameter in Notification Endpoints

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects.

CWE	CWE-601
Vendor	horilla
Product	horilla-hr
Published	May 12, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for horilla horilla-hr

Be the first to know when new unknown vulnerabilities affecting horilla horilla-hr are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

horilla / horilla-hr

<= 1.5.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/horilla/horilla-hr/security/advisories/GHSA-vqg4-fc32-cwvw github.com: https://github.com/horilla/horilla-hr/commit/734f0c7ed4ac96fe8615d1b592180ea8a46eb8b6