EUVD-2025-199904

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no...

CVE-2025-66290 OrangeHRM is Vulnerable to Improper Authorization Allowing Unauthorized Access to Candidate Attachments

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no...

CVE-2025-66290

OrangeHRM CVE-2025-66290 affects versions 5.0–5.7. The recruitment attachment retrieval endpoint does not enforce authorization checks, allowing any authenticated user (even with ESS-level access) to access candidate attachments. The endpoint validates the session but does not verify recruitment ...

CVE-2025-66290 OrangeHRM is Vulnerable to Improper Authorization Allowing Unauthorized Access to Candidate Attachments

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no...

CVE-2025-66290 OrangeHRM is Vulnerable to Improper Authorization Allowing Unauthorized Access to Candidate Attachments

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no...