VYPR

Vendor CVEs

Orangehrm

All CVEs

31 total · sorted by risk
  • CVE-2026-39346MedApr 7, 2026
    risk 0.28cvss 5.4epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This…

  • CVE-2026-39345MedApr 7, 2026
    risk 0.25cvss 4.9epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary…

  • CVE-2026-39348MedApr 7, 2026
    risk 0.21cvss 4.3epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to…

  • CVE-2026-39349LowApr 7, 2026
    risk 0.11cvss 2.7epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data.…

  • CVE-2026-39347LowApr 7, 2026
    risk 0.11cvss 2.7epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal…

  • CVE-2024-36428May 27, 2024
    risk 0.06cvss epss 0.02

    OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection.

  • CVE-2012-1507Sep 17, 2014
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3)…

  • CVE-2012-1506Sep 17, 2014
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details…

  • CVE-2011-5259Feb 12, 2013
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in lib/controllers/CentralController.php in OrangeHRM before 2.6.11.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2011-5258Feb 12, 2013
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php.

  • CVE-2012-5367Dec 3, 2012
    risk 0.03cvss epss 0.01

    Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated…

  • CVE-2010-4798Apr 27, 2011
    risk 0.03cvss epss 0.02

    Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the uri parameter.

  • CVE-2025-66291Nov 29, 2025
    risk 0.00cvss epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the…

  • CVE-2025-66290Nov 29, 2025
    risk 0.00cvss epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level…

  • CVE-2025-66289Nov 29, 2025
    risk 0.00cvss epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a…

  • CVE-2025-66225Nov 29, 2025
    risk 0.00cvss epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After…

  • CVE-2025-66224Nov 29, 2025
    risk 0.00cvss epss 0.00

    OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail…

  • CVE-2025-44040May 21, 2025
    risk 0.00cvss epss 0.00

    An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed…

  • CVE-2022-28985May 20, 2022
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

  • CVE-2022-27110Apr 6, 2022
    risk 0.00cvss epss 0.00

    OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.

  • CVE-2022-27109Apr 6, 2022
    risk 0.00cvss epss 0.00

    OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability.

  • CVE-2022-27108Apr 6, 2022
    risk 0.00cvss epss 0.01

    OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.

  • CVE-2022-27107Apr 6, 2022
    risk 0.00cvss epss 0.00

    OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter

  • CVE-2021-28399Apr 26, 2021
    risk 0.00cvss epss 0.01

    OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.

  • CVE-2020-29437Jan 5, 2021
    risk 0.00cvss epss 0.02

    SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.

  • CVE-2013-1353Feb 10, 2020
    risk 0.00cvss epss 0.01

    Orange HRM 2.7.1 allows XSS via the vacancy name.

  • CVE-2019-12839Jun 15, 2019
    risk 0.00cvss epss 0.05

    In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.

  • CVE-2014-100021Jan 13, 2015
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter.

  • CVE-2011-3766Sep 24, 2011
    risk 0.00cvss epss 0.01

    OrangeHRM 2.6.0.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/orange/menu/Menu.php and certain other files.

  • CVE-2007-5931Nov 10, 2007
    risk 0.00cvss epss 0.01

    The reDirect function in lib/controllers/RepViewController.php in OrangeHRM before 2.2.2 does not verify the privileges of a user, which allows remote attackers to obtain access to data via unspecified vectors. NOTE: the provenance of this information is unknown; the details…

  • CVE-2007-1193Mar 2, 2007
    risk 0.00cvss epss 0.01

    Multiple unspecified vulnerabilities in the Login page in OrangeHRM before 20070212 have unknown impact and attack vectors.