Known Vulnerabilities for products from Orangehrm

Listed below are 20 of the newest known vulnerabilities associated with the vendor "Orangehrm".

These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.

Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.

Known Vulnerabilities

CVE Shortened Description Severity Publish Date Last Modified
CVE-2026-39349 json Not Provided 2026-04-07 2026-04-07
CVE-2026-39348 json Not Provided 2026-04-07 2026-04-08
CVE-2026-39347 json OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes t... Not Provided 2026-04-07 2026-04-09
CVE-2026-39346 json OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authentic... Not Provided 2026-04-07 2026-04-09
CVE-2026-39345 json OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict... Not Provided 2026-04-07 2026-04-09
CVE-2022-28985 json A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execut... 5.4 - MEDIUM 2022-05-20 2022-05-26
CVE-2022-27110 json OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint. 5.4 - MEDIUM 2022-04-06 2022-04-13
CVE-2022-27109 json OrangeHRM 4.10 suffers from a Referer header injection redirect vulnerability. 5.4 - MEDIUM 2022-04-06 2022-04-13
CVE-2022-27108 json OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTi... 4.3 - MEDIUM 2022-04-06 2022-04-13
CVE-2022-27107 json OrangeHRM 4.10 is vulnerable to Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[link... 5.4 - MEDIUM 2022-04-06 2022-04-13
CVE-2021-28399 json OrangeHRM 4.7 allows an unauthenticated user to enumerate the valid username and email address via the forgot password functi... 5.3 - MEDIUM 2021-04-26 2021-05-05
CVE-2020-29437 json SQL injection in the Buzz module of OrangeHRM through 4.6 allows remote authenticated attackers to execute arbitrary SQL comm... 8.1 - HIGH 2021-01-05 2021-01-07
CVE-2019-12839 json In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath paramet... 8.8 - HIGH 2019-06-15 2020-08-24
CVE-2014-100021 json Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remot... 4.3 - MEDIUM 2015-01-13 2015-01-14
CVE-2013-1353 json Orange HRM 2.7.1 allows XSS via the vacancy name. 5.4 - MEDIUM 2020-02-10 2020-02-11
CVE-2012-5367 json Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary... 6 - MEDIUM 2012-12-03 2017-08-29
CVE-2012-1507 json Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web sc... 4.3 - MEDIUM 2014-09-17 2017-08-29
CVE-2012-1506 json SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote... 6.5 - MEDIUM 2014-09-17 2017-08-29
CVE-2011-5259 json SQL injection vulnerability in lib/controllers/CentralController.php in OrangeHRM before 2.6.11.2 allows remote attackers to ... 6.8 - MEDIUM 2013-02-12 2018-10-09
CVE-2011-5258 json Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.6.11.2 allow remote attackers to inject arbitrary w... 4.3 - MEDIUM 2013-02-12 2018-10-09
Results limited to 20 most recent vulnerabilities

Known software with vulnerabilities from Orangehrm

Type Vendor Product Version
ApplicationOrangehrmOrangehrm-