Home > Vulnerability Database > CVE-2026-24036

Mend.io Vulnerability Database

CVE-2026-24036

Good to know:

Date: January 21, 2026

Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0.

Severity Score

5.3

Related Resources (5)

Url: https://github.com/horilla-opensource/horilla/commit/9a585a1588431499092a49d7e82cb77daa4d99ee

Url: https://github.com/horilla-opensource/horilla/releases/tag/1.5.0

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24036

Url: https://github.com/horilla-opensource/horilla/security/advisories/GHSA-q4xr-w96p-3vg7

Url: https://www.mend.io/vulnerability-database/CVE-2026-24036

Severity Score

5.3

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

Upgrade Version

Upgrade to version https://github.com/horilla-opensource/horilla.git - 1.5.0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24036

Good to know:

Date: January 21, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?