orangehrm
Top products
Latest CVEs
The 15 most recently published vulnerabilities affecting orangehrm.
- CVE-2026-39349OrangeHRM Uses AES-ECB for Sensitive Data Encryption Enables Pattern Disclosure2.7
- CVE-2026-39348OrangeHRM is Missing Authorization Checks in AbstractFileController Subclasses Expose Job Specification and Vacancy Attachments4.3
- CVE-2026-39347OrangeHRM's Self‑Appraisal Submission of Admin Users Can Be Modified After Completion2.7
- CVE-2026-39346OrangeHRM has Improper Access Control Allowing Access to Disabled Modules via URL Encoding5.4
- CVE-2026-39345OrangeHRM Affected by Arbitrary File Read via Path Traversal in Email Template Loader4.9
- CVE-2025-66291OrangeHRM is Vulnerable to Improper Authorization Allowing Unauthorized Access to Interview Attachments4.3
- CVE-2025-66290OrangeHRM is Vulnerable to Improper Authorization Allowing Unauthorized Access to Candidate Attachments4.3
- CVE-2025-66289OrangeHRM is Vulnerable to Persistent Session Access Due to Missing Invalidation After User Disable and Password Change8.8
- CVE-2025-66225OrangeHRM is Vulnerable to Account Takeover Through Unvalidated Username in Password Reset Workflow8.8
- CVE-2025-66224OrangeHRM is Vulnerable to Code Execution Through Arbitrary File Write from Sendmail Parameter Injection8.8
- CVE-2025-44040An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons i...7.2
- CVE-2024-36428OrangeHRM 3.3.3 allows admin/viewProjects sortOrder SQL injection.8.1
- CVE-2022-28985A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.6.3
- CVE-2022-27110OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.5.4
- CVE-2022-27109OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability.5.4