Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This vulnerability is fixed in 5.8.1.
AnalysisAI
OrangeHRM Open Source versions 5.0 through 5.8 allow authenticated users to bypass module access controls by submitting URL-encoded request paths, enabling unauthorized access to administrator-disabled functionality. The vulnerability requires valid user credentials but presents a moderate confidentiality and integrity risk. A vendor-released patch is available in version 5.8.1.
Technical ContextAI
OrangeHRM implements module-level access controls to restrict which features administrators enable for different user roles. The vulnerability exists in the access control enforcement mechanism (CWE-284: Improper Access Control), where the application fails to properly canonicalize or decode URL-encoded path parameters before checking module authorization policies. By submitting requests with URL-encoded path segments (e.g., using %2F for forward slashes or other encoded characters), authenticated attackers can bypass the module disable checks and invoke functionality that administrators have explicitly disabled. This is a classic access control bypass pattern where insufficient input normalization allows attackers to circumvent security boundaries. The affected product is OrangeHRM (CPE: cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:*) in versions 5.0 through 5.8.
RemediationAI
Upgrade OrangeHRM to version 5.8.1 or later; this is the vendor-released patch that resolves the access control bypass. Organizations unable to immediately upgrade should implement compensating controls such as restricting direct URL access to sensitive modules, implementing Web Application Firewall (WAF) rules to block URL-encoded path sequences targeting disabled modules, and auditing user activity logs for unusual access patterns to disabled functionality. Administrators should also audit module access controls to ensure appropriate restrictions are in place for sensitive features. Details are provided in the GitHub security advisory at https://github.com/orangehrm/orangehrm/security/advisories/GHSA-f254-w9w8-xc8q.
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath pa
OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection. Rated high severity (CVSS 8.1), this vulnerability is
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows r
Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbi
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary w
A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to e
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. Rated medium severity
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. Rated medium severity (CVSS 5.4), this vu
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo
OrangeHRM is a comprehensive human resource management (HRM) system. Rated critical severity (CVSS 9.0), this vulnerabil
OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability
OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19856