Orangehrm
by Orangehrm
Source repositories
CVEs (31)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-39346 | Med | 0.28 | 5.4 | 0.00 | Apr 7, 2026 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This… | ||
| CVE-2026-39345 | Med | 0.25 | 4.9 | 0.00 | Apr 7, 2026 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary… | ||
| CVE-2026-39348 | Med | 0.21 | 4.3 | 0.00 | Apr 7, 2026 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to… | ||
| CVE-2026-39349 | Low | 0.11 | 2.7 | 0.00 | Apr 7, 2026 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data.… | ||
| CVE-2026-39347 | Low | 0.11 | 2.7 | 0.00 | Apr 7, 2026 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal… | ||
| CVE-2024-36428 | 0.06 | — | 0.02 | May 27, 2024 | OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection. | |||
| CVE-2012-1507 | 0.03 | — | 0.02 | Sep 17, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3)… | |||
| CVE-2012-1506 | 0.03 | — | 0.01 | Sep 17, 2014 | SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details… | |||
| CVE-2011-5259 | 0.03 | — | 0.01 | Feb 12, 2013 | SQL injection vulnerability in lib/controllers/CentralController.php in OrangeHRM before 2.6.11.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2011-5258 | 0.03 | — | 0.02 | Feb 12, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php. | |||
| CVE-2012-5367 | 0.03 | — | 0.01 | Dec 3, 2012 | Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated… | |||
| CVE-2010-4798 | 0.03 | — | 0.02 | Apr 27, 2011 | Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the uri parameter. | |||
| CVE-2025-66291 | 0.00 | — | 0.00 | Nov 29, 2025 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the… | |||
| CVE-2025-66290 | 0.00 | — | 0.00 | Nov 29, 2025 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level… | |||
| CVE-2025-66289 | 0.00 | — | 0.00 | Nov 29, 2025 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a… | |||
| CVE-2025-66225 | 0.00 | — | 0.00 | Nov 29, 2025 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After… | |||
| CVE-2025-66224 | 0.00 | — | 0.00 | Nov 29, 2025 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail… | |||
| CVE-2025-44040 | 0.00 | — | 0.00 | May 21, 2025 | An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed… | |||
| CVE-2022-28985 | 0.00 | — | 0.00 | May 20, 2022 | A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | |||
| CVE-2022-27110 | 0.00 | — | 0.00 | Apr 6, 2022 | OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. |
- risk 0.28cvss 5.4epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This…
- risk 0.25cvss 4.9epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary…
- risk 0.21cvss 4.3epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to…
- risk 0.11cvss 2.7epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data.…
- risk 0.11cvss 2.7epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal…
- CVE-2024-36428May 27, 2024risk 0.06cvss —epss 0.02
OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection.
- CVE-2012-1507Sep 17, 2014risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3)…
- CVE-2012-1506Sep 17, 2014risk 0.03cvss —epss 0.01
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details…
- CVE-2011-5259Feb 12, 2013risk 0.03cvss —epss 0.01
SQL injection vulnerability in lib/controllers/CentralController.php in OrangeHRM before 2.6.11.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2011-5258Feb 12, 2013risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php.
- CVE-2012-5367Dec 3, 2012risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated…
- CVE-2010-4798Apr 27, 2011risk 0.03cvss —epss 0.02
Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the uri parameter.
- CVE-2025-66291Nov 29, 2025risk 0.00cvss —epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the…
- CVE-2025-66290Nov 29, 2025risk 0.00cvss —epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level…
- CVE-2025-66289Nov 29, 2025risk 0.00cvss —epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a…
- CVE-2025-66225Nov 29, 2025risk 0.00cvss —epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After…
- CVE-2025-66224Nov 29, 2025risk 0.00cvss —epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail…
- CVE-2025-44040May 21, 2025risk 0.00cvss —epss 0.00
An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed…
- CVE-2022-28985May 20, 2022risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.
- CVE-2022-27110Apr 6, 2022risk 0.00cvss —epss 0.00
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.
Page 1 of 2