Orangehrm · Orangehrm · CVE-2026-39348
Name of the Vulnerable Software and Affected Versions
OrangeHRM versions 5.0 through 5.8
Description
OrangeHRM Open Source versions 5.0 through 5.8 lack authorization checks on job specification and vacancy attachment download handlers. This allows authenticated, low-privilege users to access attachments directly by referencing attachment identifiers.
Recommendations
Update to version 5.8.1 or later.