Medium severity4.9NVD Advisory· Published Apr 7, 2026· Updated Apr 9, 2026

CVE-2026-39345

Description

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary local files. This vulnerability is fixed in 5.8.1.

Affected products

Orangehrm/Orangehrm
cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:*
Range: >=5.0,<5.8.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/orangehrm/orangehrm/security/advisories/GHSA-xq24-qv66-9v3mnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.319
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000