Skip to main content

Orangehrm CVE-2026-39349

| EUVDEUVD-2026-19859 LOW
Inadequate Encryption Strength (CWE-326)
2026-04-07 GitHub_M
2.1
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
5.8.1
EUVD ID Assigned
Apr 07, 2026 - 18:45 euvd
EUVD-2026-19859
Analysis Generated
Apr 07, 2026 - 18:45 vuln.today
CVE Published
Apr 07, 2026 - 18:22 nvd
LOW 2.1

DescriptionGitHub Advisory

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data. This vulnerability is fixed in 5.8.1.

AnalysisAI

OrangeHRM 5.0 through 5.8 uses AES encryption in ECB mode for sensitive fields, allowing attackers with high-level privileges to infer patterns in encrypted data through block-aligned plaintext analysis. This cryptographic weakness does not enable direct decryption but permits pattern disclosure against stored sensitive information, classified as information disclosure with low confidentiality impact. The vulnerability is fixed in version 5.8.1, and exploitation requires network access, high administrative privileges, and specific timing conditions that make real-world exploitation unlikely despite the remotely accessible attack vector.

Technical ContextAI

OrangeHRM implements AES encryption in ECB (Electronic Codebook) mode for sensitive data fields. ECB mode is a deterministic encryption scheme that produces identical ciphertext blocks for identical plaintext blocks, fundamentally violating semantic security principles. An attacker observing encrypted sensitive fields can correlate ciphertext patterns to deduce information about the plaintext without decryption-for example, recognizing when two employees share identical encrypted field values or identifying repeating patterns in employee data. The underlying weakness is classified as CWE-326 (Inadequate Encryption Strength), reflecting the use of a cryptographic algorithm in an insecure mode of operation. This affects the OrangeHRM Open Source product across versions 5.0 to 5.8, stored in encrypted form within the application database.

RemediationAI

Vendor-released patch: OrangeHRM 5.8.1 or later. Organizations running OrangeHRM 5.0 through 5.8 should upgrade immediately to version 5.8.1, which replaces ECB mode encryption with a cryptographically secure mode of operation (such as CBC or GCM with authenticated encryption). No interim workarounds are documented; the encryption scheme change requires a patch deployment. Review the vendor security advisory at https://github.com/orangehrm/orangehrm/security/advisories/GHSA-g29m-3jgj-gprg for upgrade procedures and any data re-encryption requirements. Administrators should verify that sensitive fields (such as employee personal data) are re-encrypted with the corrected cipher mode during the upgrade process.

CVE-2019-12839 HIGH POC
8.8 Jun 15

In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath pa

CVE-2024-36428 HIGH POC
8.1 May 27

OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection. Rated high severity (CVSS 8.1), this vulnerability is

CVE-2012-1506 MEDIUM POC
6.5 Sep 17

SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows r

CVE-2012-5367 MEDIUM POC
6.0 Dec 03

Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbi

CVE-2012-1507 MEDIUM POC
4.3 Sep 17

Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary w

CVE-2022-28985 MEDIUM POC
5.4 May 20

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to e

CVE-2022-27110 MEDIUM POC
5.4 Apr 06

OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. Rated medium severity

CVE-2022-27109 MEDIUM POC
5.4 Apr 06

OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. Rated medium severity (CVSS 5.4), this vu

CVE-2022-27107 MEDIUM POC
5.4 Apr 06

OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo

CVE-2025-66224 CRITICAL
9.0 Nov 29

OrangeHRM is a comprehensive human resource management (HRM) system. Rated critical severity (CVSS 9.0), this vulnerabil

CVE-2025-66289 HIGH
8.7 Nov 29

OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability

CVE-2025-66225 HIGH
8.7 Nov 29

OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability

Share

CVE-2026-39349 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy