PT-2026-30972

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data. This vulnerability i...

EUVD-2025-199904

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no...

OrangeHRM 数据伪造问题漏洞

OrangeHRM is a human resource management system HRM from OrangeHRM, Inc. in the United States. The system supports personnel information management, leave management, attendance management and recruitment management. OrangeHRM versions 5.0 through 5.7 are vulnerable to a data forgery issue that...

EUVD-2021-15079

Malware in sbrugna...

EUVD-2022-31648

Malicious code in bioql PyPI...

EUVD-2022-33416

Malicious code in bioql PyPI...

CVE-2025-44040

An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed by the Supplier...

CVE-2025-44040

An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed by the Supplier...

CVE-2025-44040

CVE-2025-44040 affects OrangeHRM v5.7. The vulnerability arises from UserService.php and the checkForOldHash function, where authentication decisions may rely on PHP loose-equality comparisons when a specific MD5 value is present in the credential store. This can enable privilege escalation. Sour...

PT-2025-22434

Name of the Vulnerable Software and Affected Versions OrangeHRM version 5.7 Description The issue allows an attacker to escalate privileges through the UserService.php and the checkFOrOldHash function. Recommendations For OrangeHRM version 5.7, as a temporary workaround, consider disabling the...

CVE-2022-27110

OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint...

Orangehrm SQL Injection Vulnerability (CNVD-2021-01999)

Orangehrm is a human resource management system HRM from Orangehrm, USA. The system supports personnel information management, leave management, attendance management and recruitment management. OrangeHRM versions prior to 4.6.0.1 suffer from a SQL injection vulnerability that stems from the...

OrangeHRM 'PluginController.php' Local File Inclusion Vulnerability

This host is running with OrangeHRM and is prone to local file inclusion vulnerability. OpenVAS Vulnerability Test $Id: secpodorangehrmlfivuln.nasl 7577 2017-10-26 10:41:56Z cfischer $ OrangeHRM 'PluginController.php' Local File Inclusion Vulnerability Authors: Madhuri D Copyright: Copyright c 20...