Aggregates CVE and security vulnerability intelligence across all jorani-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk sql injection and vendor risk cross-site scripting and related problems; some flaws may lead to vendor impact data exposure, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-67102 | A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter. | [email protected] | 7.6 | 0.22% | 2026-02-17 | 2026-06-17 |
| CVE-2023-48205 | Jorani Leave Management System 1.0.2 allows a remote attacker to spoof a Host header associated with password reset emails. | [email protected] | 5.3 | 0.76% | 2023-12-07 | 2026-06-17 |
| CVE-2023-45540 | An issue in Jorani Leave Management System 1.0.3 allows a remote attacker to execute arbitrary HTML code via a crafted script to the comment field of the List of Leave requests page. | [email protected] | 6.5 | 0.52% | 2023-10-16 | 2026-06-17 |
| CVE-2023-2681 | An SQL Injection vulnerability has been found on Jorani version 1.0.0. This vulnerability allows an authenticated remote user, with low privileges, to send queries with malicious SQL code on the "/leaves/validate" path and the “id” parameter, managing to extract arbritary information from the database. | [email protected] | 8.8 | 0.56% | 2023-10-03 | 2026-06-17 |
| CVE-2023-26469 | In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server. | [email protected] | 9.8 | 81.92% | 2023-08-17 | 2026-06-17 |
| CVE-2022-48118 | Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Acronym parameter. | [email protected] | 6.1 | 0.47% | 2023-01-27 | 2026-06-17 |
| CVE-2022-34134 | Jorani v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /application/controllers/Users.php. | [email protected] | 8.8 | 0.37% | 2022-06-27 | 2026-06-17 |
| CVE-2022-34133 | Jorani v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Comment parameter at application/controllers/Leaves.php. | [email protected] | 6.1 | 0.49% | 2022-06-27 | 2026-06-17 |
| CVE-2022-34132 | Jorani v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at application/controllers/Leaves.php. | [email protected] | 9.8 | 1.26% | 2022-06-27 | 2026-06-17 |