Skip to main content

Orangehrm

23 CVEs product

Monthly

CVE-2026-39349 LOW PATCH Monitor

OrangeHRM 5.0 through 5.8 uses AES encryption in ECB mode for sensitive fields, allowing attackers with high-level privileges to infer patterns in encrypted data through block-aligned plaintext analysis. This cryptographic weakness does not enable direct decryption but permits pattern disclosure against stored sensitive information, classified as information disclosure with low confidentiality impact. The vulnerability is fixed in version 5.8.1, and exploitation requires network access, high administrative privileges, and specific timing conditions that make real-world exploitation unlikely despite the remotely accessible attack vector.

Information Disclosure Orangehrm
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-39348 MEDIUM PATCH This Month

OrangeHRM 5.0 through 5.8 allows authenticated low-privilege users to bypass authorization controls and directly access job specification and vacancy attachment files by manipulating attachment identifiers, exposing sensitive HR documents. The vulnerability affects the attachment download handlers which fail to validate user permissions before serving files. This issue is fixed in version 5.8.1.

Authentication Bypass Orangehrm
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-39347 MEDIUM PATCH This Month

OrangeHRM Open Source versions 5.0 through 5.8 allow high-privileged administrator users to modify self-appraisal submissions after those submissions have been marked as completed, compromising the integrity of finalized appraisal records. The vulnerability requires administrator authentication and has a CVSS score of 5.1 with low integrity impact. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Orangehrm
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-39346 MEDIUM PATCH This Month

OrangeHRM Open Source versions 5.0 through 5.8 allow authenticated users to bypass module access controls by submitting URL-encoded request paths, enabling unauthorized access to administrator-disabled functionality. The vulnerability requires valid user credentials but presents a moderate confidentiality and integrity risk. A vendor-released patch is available in version 5.8.1.

Authentication Bypass Orangehrm
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-39345 MEDIUM PATCH This Month

OrangeHRM Open Source 5.0 through 5.8 allows authenticated users with high privileges to read arbitrary local files by manipulating email template file paths, bypassing the intended plugin directory restriction. The vulnerability requires high-privilege credentials and manual path influence but enables confidential file disclosure. Vendor has released patch version 5.8.1; no public exploit code or active exploitation is confirmed.

Path Traversal Orangehrm
NVD GitHub
CVSS 4.0
4.6
EPSS
0.0%
CVE-2025-66291 MEDIUM PATCH This Month

OrangeHRM is a comprehensive human resource management (HRM) system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Orangehrm
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-66290 MEDIUM This Month

OrangeHRM is a comprehensive human resource management (HRM) system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Orangehrm
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-66289 HIGH This Week

OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Orangehrm
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-66225 HIGH This Week

OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Orangehrm
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-66224 CRITICAL Act Now

OrangeHRM is a comprehensive human resource management (HRM) system. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Orangehrm
NVD GitHub
CVSS 4.0
9.0
EPSS
0.1%
CVE-2025-44040 HIGH This Month

An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Privilege Escalation Orangehrm
NVD GitHub
CVSS 3.1
7.2
EPSS
0.3%
CVE-2024-36428 HIGH POC This Week

OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Orangehrm
NVD GitHub
CVSS 3.1
8.1
EPSS
1.7%
CVE-2022-28985 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Orangehrm
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-27110 MEDIUM POC This Month

OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Orangehrm
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-27109 MEDIUM POC This Month

OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Orangehrm
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-27108 MEDIUM POC This Month

OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Orangehrm
NVD GitHub
CVSS 3.1
4.3
EPSS
0.6%
CVE-2022-27107 MEDIUM POC This Month

OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Orangehrm
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-28399 MEDIUM This Month

OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Orangehrm
NVD GitHub
CVSS 3.1
5.3
EPSS
1.0%
CVE-2019-12839 HIGH POC PATCH This Week

In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Command Injection Orangehrm
NVD GitHub
CVSS 3.0
8.8
EPSS
4.8%
CVE-2014-100021 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP Orangehrm
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-1507 MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP Orangehrm
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
9.5%
CVE-2012-1506 MEDIUM POC PATCH This Month

SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Orangehrm
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
2.6%
CVE-2012-5367 MEDIUM POC This Month

Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2). Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP SQLi CSRF Orangehrm
NVD Exploit-DB
CVSS 2.0
6.0
EPSS
1.5%
EPSS 0% CVSS 2.1
LOW PATCH Monitor

OrangeHRM 5.0 through 5.8 uses AES encryption in ECB mode for sensitive fields, allowing attackers with high-level privileges to infer patterns in encrypted data through block-aligned plaintext analysis. This cryptographic weakness does not enable direct decryption but permits pattern disclosure against stored sensitive information, classified as information disclosure with low confidentiality impact. The vulnerability is fixed in version 5.8.1, and exploitation requires network access, high administrative privileges, and specific timing conditions that make real-world exploitation unlikely despite the remotely accessible attack vector.

Information Disclosure Orangehrm
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OrangeHRM 5.0 through 5.8 allows authenticated low-privilege users to bypass authorization controls and directly access job specification and vacancy attachment files by manipulating attachment identifiers, exposing sensitive HR documents. The vulnerability affects the attachment download handlers which fail to validate user permissions before serving files. This issue is fixed in version 5.8.1.

Authentication Bypass Orangehrm
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

OrangeHRM Open Source versions 5.0 through 5.8 allow high-privileged administrator users to modify self-appraisal submissions after those submissions have been marked as completed, compromising the integrity of finalized appraisal records. The vulnerability requires administrator authentication and has a CVSS score of 5.1 with low integrity impact. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Orangehrm
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OrangeHRM Open Source versions 5.0 through 5.8 allow authenticated users to bypass module access controls by submitting URL-encoded request paths, enabling unauthorized access to administrator-disabled functionality. The vulnerability requires valid user credentials but presents a moderate confidentiality and integrity risk. A vendor-released patch is available in version 5.8.1.

Authentication Bypass Orangehrm
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

OrangeHRM Open Source 5.0 through 5.8 allows authenticated users with high privileges to read arbitrary local files by manipulating email template file paths, bypassing the intended plugin directory restriction. The vulnerability requires high-privilege credentials and manual path influence but enables confidential file disclosure. Vendor has released patch version 5.8.1; no public exploit code or active exploitation is confirmed.

Path Traversal Orangehrm
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OrangeHRM is a comprehensive human resource management (HRM) system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Orangehrm
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

OrangeHRM is a comprehensive human resource management (HRM) system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Orangehrm
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Orangehrm
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

OrangeHRM is a comprehensive human resource management (HRM) system. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Orangehrm
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

OrangeHRM is a comprehensive human resource management (HRM) system. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Orangehrm
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Month

An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Privilege Escalation Orangehrm
NVD GitHub
EPSS 2% CVSS 8.1
HIGH POC This Week

OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Orangehrm
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Orangehrm
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Orangehrm
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Orangehrm
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC This Month

OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Orangehrm
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Orangehrm
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Orangehrm
NVD GitHub
EPSS 5% CVSS 8.8
HIGH POC PATCH This Week

In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Command Injection Orangehrm
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP Orangehrm
NVD
EPSS 10% CVSS 4.3
MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP Orangehrm
NVD Exploit-DB
EPSS 3% CVSS 6.5
MEDIUM POC PATCH This Month

SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Orangehrm
NVD Exploit-DB
EPSS 1% CVSS 6.0
MEDIUM POC This Month

Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2). Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP SQLi CSRF +1
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy