Vendor CVEs
Orangehrm
All CVEs
31 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-39346 | Med | 0.28 | 5.4 | 0.00 | Apr 7, 2026 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This… | ||
| CVE-2026-39345 | Med | 0.25 | 4.9 | 0.00 | Apr 7, 2026 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary… | ||
| CVE-2026-39348 | Med | 0.21 | 4.3 | 0.00 | Apr 7, 2026 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to… | ||
| CVE-2026-39349 | Low | 0.11 | 2.7 | 0.00 | Apr 7, 2026 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data.… | ||
| CVE-2026-39347 | Low | 0.11 | 2.7 | 0.00 | Apr 7, 2026 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal… | ||
| CVE-2024-36428 | 0.06 | — | 0.02 | May 27, 2024 | OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection. | |||
| CVE-2012-1507 | 0.03 | — | 0.02 | Sep 17, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3)… | |||
| CVE-2012-1506 | 0.03 | — | 0.01 | Sep 17, 2014 | SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details… | |||
| CVE-2011-5259 | 0.03 | — | 0.01 | Feb 12, 2013 | SQL injection vulnerability in lib/controllers/CentralController.php in OrangeHRM before 2.6.11.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2011-5258 | 0.03 | — | 0.02 | Feb 12, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php. | |||
| CVE-2012-5367 | 0.03 | — | 0.01 | Dec 3, 2012 | Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated… | |||
| CVE-2010-4798 | 0.03 | — | 0.02 | Apr 27, 2011 | Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the uri parameter. | |||
| CVE-2025-66291 | 0.00 | — | 0.00 | Nov 29, 2025 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the… | |||
| CVE-2025-66290 | 0.00 | — | 0.00 | Nov 29, 2025 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level… | |||
| CVE-2025-66289 | 0.00 | — | 0.00 | Nov 29, 2025 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a… | |||
| CVE-2025-66225 | 0.00 | — | 0.00 | Nov 29, 2025 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After… | |||
| CVE-2025-66224 | 0.00 | — | 0.00 | Nov 29, 2025 | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail… | |||
| CVE-2025-44040 | 0.00 | — | 0.00 | May 21, 2025 | An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed… | |||
| CVE-2022-28985 | 0.00 | — | 0.00 | May 20, 2022 | A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | |||
| CVE-2022-27110 | 0.00 | — | 0.00 | Apr 6, 2022 | OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. | |||
| CVE-2022-27109 | 0.00 | — | 0.00 | Apr 6, 2022 | OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. | |||
| CVE-2022-27108 | 0.00 | — | 0.01 | Apr 6, 2022 | OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account. | |||
| CVE-2022-27107 | 0.00 | — | 0.00 | Apr 6, 2022 | OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter | |||
| CVE-2021-28399 | 0.00 | — | 0.01 | Apr 26, 2021 | OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function. | |||
| CVE-2020-29437 | 0.00 | — | 0.02 | Jan 5, 2021 | SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint. | |||
| CVE-2013-1353 | 0.00 | — | 0.01 | Feb 10, 2020 | Orange HRM 2.7.1 allows XSS via the vacancy name. | |||
| CVE-2019-12839 | 0.00 | — | 0.05 | Jun 15, 2019 | In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution. | |||
| CVE-2014-100021 | 0.00 | — | 0.01 | Jan 13, 2015 | Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter. | |||
| CVE-2011-3766 | 0.00 | — | 0.01 | Sep 24, 2011 | OrangeHRM 2.6.0.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/orange/menu/Menu.php and certain other files. | |||
| CVE-2007-5931 | 0.00 | — | 0.01 | Nov 10, 2007 | The reDirect function in lib/controllers/RepViewController.php in OrangeHRM before 2.2.2 does not verify the privileges of a user, which allows remote attackers to obtain access to data via unspecified vectors. NOTE: the provenance of this information is unknown; the details… | |||
| CVE-2007-1193 | 0.00 | — | 0.01 | Mar 2, 2007 | Multiple unspecified vulnerabilities in the Login page in OrangeHRM before 20070212 have unknown impact and attack vectors. |
- risk 0.28cvss 5.4epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This…
- risk 0.25cvss 4.9epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary…
- risk 0.21cvss 4.3epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to…
- risk 0.11cvss 2.7epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data.…
- risk 0.11cvss 2.7epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal…
- CVE-2024-36428May 27, 2024risk 0.06cvss —epss 0.02
OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection.
- CVE-2012-1507Sep 17, 2014risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3)…
- CVE-2012-1506Sep 17, 2014risk 0.03cvss —epss 0.01
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details…
- CVE-2011-5259Feb 12, 2013risk 0.03cvss —epss 0.01
SQL injection vulnerability in lib/controllers/CentralController.php in OrangeHRM before 2.6.11.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2011-5258Feb 12, 2013risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary web script or HTML via the (1) uniqcode or (2) isAdmin parameter to index.php; or the (3) PATH_INFO to lib/controllers/centralcontroller.php.
- CVE-2012-5367Dec 3, 2012risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated…
- CVE-2010-4798Apr 27, 2011risk 0.03cvss —epss 0.02
Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the uri parameter.
- CVE-2025-66291Nov 29, 2025risk 0.00cvss —epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the…
- CVE-2025-66290Nov 29, 2025risk 0.00cvss —epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level…
- CVE-2025-66289Nov 29, 2025risk 0.00cvss —epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a…
- CVE-2025-66225Nov 29, 2025risk 0.00cvss —epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After…
- CVE-2025-66224Nov 29, 2025risk 0.00cvss —epss 0.00
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail…
- CVE-2025-44040May 21, 2025risk 0.00cvss —epss 0.00
An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed…
- CVE-2022-28985May 20, 2022risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.
- CVE-2022-27110Apr 6, 2022risk 0.00cvss —epss 0.00
OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.
- CVE-2022-27109Apr 6, 2022risk 0.00cvss —epss 0.00
OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability.
- CVE-2022-27108Apr 6, 2022risk 0.00cvss —epss 0.01
OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.
- CVE-2022-27107Apr 6, 2022risk 0.00cvss —epss 0.00
OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter
- CVE-2021-28399Apr 26, 2021risk 0.00cvss —epss 0.01
OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password function.
- CVE-2020-29437Jan 5, 2021risk 0.00cvss —epss 0.02
SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL commands via the orangehrmBuzzPlugin/lib/dao/BuzzDao.php loadMorePostsForm[profileUserId] parameter to the buzz/loadMoreProfile endpoint.
- CVE-2013-1353Feb 10, 2020risk 0.00cvss —epss 0.01
Orange HRM 2.7.1 allows XSS via the vacancy name.
- CVE-2019-12839Jun 15, 2019risk 0.00cvss —epss 0.05
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
- CVE-2014-100021Jan 13, 2015risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter.
- CVE-2011-3766Sep 24, 2011risk 0.00cvss —epss 0.01
OrangeHRM 2.6.0.2 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/orange/menu/Menu.php and certain other files.
- CVE-2007-5931Nov 10, 2007risk 0.00cvss —epss 0.01
The reDirect function in lib/controllers/RepViewController.php in OrangeHRM before 2.2.2 does not verify the privileges of a user, which allows remote attackers to obtain access to data via unspecified vectors. NOTE: the provenance of this information is unknown; the details…
- CVE-2007-1193Mar 2, 2007risk 0.00cvss —epss 0.01
Multiple unspecified vulnerabilities in the Login page in OrangeHRM before 20070212 have unknown impact and attack vectors.