VYPR
Vendor

Orangehrm

Products
1
CVEs
31
Across products
31
Status
Private

Products

1

Recent CVEs

31
View all 31 CVEs →
  • CVE-2026-39346MedApr 7, 2026
    risk 0.28cvss 5.4epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This…

  • CVE-2026-39345MedApr 7, 2026
    risk 0.25cvss 4.9epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary…

  • CVE-2026-39348MedApr 7, 2026
    risk 0.21cvss 4.3epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to…

  • CVE-2026-39349LowApr 7, 2026
    risk 0.11cvss 2.7epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data.…

  • CVE-2026-39347LowApr 7, 2026
    risk 0.11cvss 2.7epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal…

  • CVE-2024-36428May 27, 2024
    risk 0.06cvss epss 0.02

    OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection.

  • CVE-2012-1507Sep 17, 2014
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3)…

  • CVE-2012-1506Sep 17, 2014
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details…

  • CVE-2011-5259Feb 12, 2013
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in lib/controllers/CentralController.php in OrangeHRM before 2.6.11.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2011-5258Feb 12, 2013
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php.

  • CVE-2012-5367Dec 3, 2012
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated…

  • CVE-2010-4798Apr 27, 2011
    risk 0.03cvss epss 0.02

    Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the uri parameter.

  • CVE-2025-66291Nov 29, 2025
    risk 0.00cvss epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the…

  • CVE-2025-66290Nov 29, 2025
    risk 0.00cvss epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level…

  • CVE-2025-66289Nov 29, 2025
    risk 0.00cvss epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a…

  • CVE-2025-66225Nov 29, 2025
    risk 0.00cvss epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After…

  • CVE-2025-66224Nov 29, 2025
    risk 0.00cvss epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail…

  • CVE-2025-44040May 21, 2025
    risk 0.00cvss epss 0.00

    An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed…

  • CVE-2022-28985May 20, 2022
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

  • CVE-2022-27110Apr 6, 2022
    risk 0.00cvss epss 0.00

    OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.