Lucene search
K

4 matches found

ATTACKERKB
ATTACKERKB
added 2026/04/07 6:17 p.m.1 views

CVE-2026-39345

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary local files. This...

4.6CVSS6AI score0.00323EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/24 2:45 a.m.5 views

CVE-2026-27129

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname, which only resolves IPv4 addresses. When a hostname has only AAAA IPv6 records, the function returns the...

7.1CVSS5.3AI score0.00427EPSS
Exploits2References4Affected Software1
RedhatCVE
RedhatCVE
added 2025/12/01 1:18 p.m.6 views

CVE-2025-66290

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no...

5.3CVSS6.6AI score0.00168EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/11/29 3:6 a.m.4 views

CVE-2025-66289 OrangeHRM is Vulnerable to Persistent Session Access Due to Missing Invalidation After User Disable and Password Change

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, o...

8.7CVSS6.8AI score0.00241EPSS
Exploits0References1
Rows per page
Query Builder