Aggregates CVE and security vulnerability intelligence across all orangehrm-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk cross-site scripting, vendor risk sql injection, and vendor risk open redirect; exposure may include vendor impact session compromise in vendor surface software deployment contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-39349 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data. This vulnerability is fixed in 5.8.1. | [email protected] | 2.1 | 0.02% | 2026-04-07 | 2026-04-10 |
| CVE-2026-39348 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifiers. This vulnerability is fixed in 5.8.1. | [email protected] | 5.3 | 0.04% | 2026-04-07 | 2026-04-10 |
| CVE-2026-39347 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal records. This vulnerability is fixed in 5.8.1. | [email protected] | 5.1 | 0.04% | 2026-04-07 | 2026-04-09 |
| CVE-2026-39346 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This vulnerability is fixed in 5.8.1. | [email protected] | 5.3 | 0.04% | 2026-04-07 | 2026-04-09 |
| CVE-2026-39345 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary local files. This vulnerability is fixed in 5.8.1. | [email protected] | 4.6 | 0.05% | 2026-04-07 | 2026-04-09 |
| CVE-2025-66291 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the requester has permission to access the associated interview record. Because the server does not perform any recruitment-level authorization checks, an ESS-level user with no access to recruitment workflows can directly re | [email protected] | 5.3 | 0.04% | 2025-11-29 | 2025-12-03 |
| CVE-2025-66290 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no permission to view the Recruitment module, can directly access candidate attachment URLs. When an authenticated request is made to the attachment endpoint, the system validates the session but does not confir | [email protected] | 5.3 | 0.03% | 2025-11-29 | 2025-12-03 |
| CVE-2025-66289 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, or an attacker using a compromised account, can continue to access protected pages and perform operations as long as a prior session remains active. Because the server performs no session revocation or | [email protected] | 8.7 | 0.05% | 2025-11-29 | 2025-12-03 |
| CVE-2025-66225 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username with | [email protected] | 8.7 | 0.04% | 2025-11-29 | 2025-12-03 |
| CVE-2025-66224 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail command. Because these values are not sanitized or constrained before being incorporated into the command execution path, certain sendmail behaviors can be unintentionally invoked during email processing. This makes it possib | [email protected] | 9.0 | 0.07% | 2025-11-29 | 2025-12-03 |
| CVE-2025-44040 | An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed by the Supplier because an adversary has no way to place the specific MD5 value into the credential store (unless they already have full privileges) and because the specific MD5 value would not realistically be present ot | [email protected] | 7.2 | 0.32% | 2025-05-21 | 2025-10-13 |
| CVE-2024-36428 | OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection. | [email protected] | 8.1 | 77.10% | 2024-05-27 | 2025-06-23 |
| CVE-2022-28985 | A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | [email protected] | 6.3 | 0.18% | 2022-05-20 | 2024-11-21 |
| CVE-2022-27110 | OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. | [email protected] | 5.4 | 0.13% | 2022-04-06 | 2024-11-21 |
| CVE-2022-27109 | OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. | [email protected] | 5.4 | 0.13% | 2022-04-06 | 2024-11-21 |
| CVE-2022-27108 | OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account. | [email protected] | 4.3 | 0.13% | 2022-04-06 | 2024-11-21 |
| CVE-2022-27107 | OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter | [email protected] | 5.4 | 0.25% | 2022-04-06 | 2024-11-21 |
| CVE-2021-28399 | OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. | [email protected] | 5.3 | 0.71% | 2021-04-26 | 2024-11-21 |
| CVE-2020-29437 | SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint. | [email protected] | 8.1 | 1.24% | 2021-01-05 | 2024-11-21 |
| CVE-2013-1353 | Orange HRM 2.7.1 allows XSS via the vacancy name. | [email protected] | 5.4 | 0.18% | 2020-02-10 | 2024-11-21 |