Skip to main content

Orangehrm CVE-2026-39347

| EUVDEUVD-2026-19857 MEDIUM
Improper Authorization (CWE-285)
2026-04-07 GitHub_M
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
5.8.1
EUVD ID Assigned
Apr 07, 2026 - 18:45 euvd
EUVD-2026-19857
Analysis Generated
Apr 07, 2026 - 18:45 vuln.today
CVE Published
Apr 07, 2026 - 18:20 nvd
MEDIUM 5.1

DescriptionGitHub Advisory

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal records. This vulnerability is fixed in 5.8.1.

AnalysisAI

OrangeHRM Open Source versions 5.0 through 5.8 allow high-privileged administrator users to modify self-appraisal submissions after those submissions have been marked as completed, compromising the integrity of finalized appraisal records. The vulnerability requires administrator authentication and has a CVSS score of 5.1 with low integrity impact. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

This vulnerability stems from inadequate authorization controls (CWE-285: Improper Authorization) in OrangeHRM's appraisal workflow processing. The system fails to enforce state-based access controls that should prevent modification of appraisal records once they transition to a completed/finalized state. The underlying issue is that the application does not properly verify the lifecycle state of appraisal submissions before accepting modification requests from authenticated administrators, allowing bypass of business logic constraints that protect record integrity. The vulnerability affects the Open Source edition of OrangeHRM, distributed via the CPE identifier cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: OrangeHRM 5.8.1 and later versions contain the fix. Organizations should upgrade from affected versions 5.0 through 5.8 to version 5.8.1 or the latest available release as soon as possible. Administrators should verify the upgrade through the OrangeHRM official releases page and associated GitHub security advisory at https://github.com/orangehrm/orangehrm/security/advisories/GHSA-7j84-w7h5-24pc. Until patching is feasible, implement compensating controls such as restricting administrator account access to only authorized personnel, enabling comprehensive audit logging of appraisal modifications, and conducting regular reviews of completed appraisal records for unauthorized alterations. Testing the patch in a non-production environment is recommended before deployment to production systems.

CVE-2019-12839 HIGH POC
8.8 Jun 15

In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath pa

CVE-2024-36428 HIGH POC
8.1 May 27

OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection. Rated high severity (CVSS 8.1), this vulnerability is

CVE-2012-1506 MEDIUM POC
6.5 Sep 17

SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows r

CVE-2012-5367 MEDIUM POC
6.0 Dec 03

Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbi

CVE-2012-1507 MEDIUM POC
4.3 Sep 17

Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary w

CVE-2022-28985 MEDIUM POC
5.4 May 20

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to e

CVE-2022-27110 MEDIUM POC
5.4 Apr 06

OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. Rated medium severity

CVE-2022-27109 MEDIUM POC
5.4 Apr 06

OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. Rated medium severity (CVSS 5.4), this vu

CVE-2022-27107 MEDIUM POC
5.4 Apr 06

OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo

CVE-2025-66224 CRITICAL
9.0 Nov 29

OrangeHRM is a comprehensive human resource management (HRM) system. Rated critical severity (CVSS 9.0), this vulnerabil

CVE-2025-66289 HIGH
8.7 Nov 29

OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability

CVE-2025-66225 HIGH
8.7 Nov 29

OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability

Share

CVE-2026-39347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy