Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

orangehrm — Vulnerabilities & Security Advisories 10

Browse all 10 CVE security advisories affecting orangehrm. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OrangeHRM serves as a comprehensive human resource management platform, handling employee data, payroll, and administrative functions. Historically, the application has been susceptible to multiple security vulnerabilities, including remote code execution, cross-site scripting, and privilege escalation flaws, contributing to its 10 recorded CVEs. These issues often stem from insufficient input validation and access control mechanisms. While no major public security incidents have been widely documented, the consistent discovery of vulnerabilities highlights ongoing security challenges. Organizations implementing this solution should prioritize timely patching and hardening to mitigate risks associated with its attack surface.

Top products by orangehrm: orangehrm
CVE IDTitleCVSSSeverityPublished
CVE-2026-39349 OrangeHRM Uses AES-ECB for Sensitive Data Encryption Enables Pattern Disclosure — orangehrmCWE-326 6.5AIMediumAI2026-04-07
CVE-2026-39348 OrangeHRM is Missing Authorization Checks in AbstractFileController Subclasses Expose Job Specification and Vacancy Attachments — orangehrmCWE-862 6.5 -2026-04-07
CVE-2026-39347 OrangeHRM's Self‑Appraisal Submission of Admin Users Can Be Modified After Completion — orangehrmCWE-285 5.5AIMediumAI2026-04-07
CVE-2026-39346 OrangeHRM has Improper Access Control Allowing Access to Disabled Modules via URL Encoding — orangehrmCWE-284 8.8AIHighAI2026-04-07
CVE-2026-39345 OrangeHRM Affected by Arbitrary File Read via Path Traversal in Email Template Loader — orangehrmCWE-22 6.5AIMediumAI2026-04-07
CVE-2025-66291 OrangeHRM is Vulnerable to Improper Authorization Allowing Unauthorized Access to Interview Attachments — orangehrmCWE-285 6.5 -2025-11-29
CVE-2025-66290 OrangeHRM is Vulnerable to Improper Authorization Allowing Unauthorized Access to Candidate Attachments — orangehrmCWE-285 6.5 -2025-11-29
CVE-2025-66289 OrangeHRM is Vulnerable to Persistent Session Access Due to Missing Invalidation After User Disable and Password Change — orangehrmCWE-613 8.8 -2025-11-29
CVE-2025-66225 OrangeHRM is Vulnerable to Account Takeover Through Unvalidated Username in Password Reset Workflow — orangehrmCWE-20 9.8 -2025-11-29
CVE-2025-66224 OrangeHRM is Vulnerable to Code Execution Through Arbitrary File Write from Sendmail Parameter Injection — orangehrmCWE-94 8.1 -2025-11-29

This page lists every published CVE security advisory associated with orangehrm. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.