Orangehrm · Orangehrm · CVE-2026-39345
Name of the Vulnerable Software and Affected Versions
OrangeHRM versions 5.0 through 5.8
Description
OrangeHRM Open Source versions 5.0 through 5.8 does not properly restrict email template file resolution to the intended plugins directory. This allows an authenticated actor who can influence the template path to read arbitrary local files.
Recommendations
Update to version 5.8.1 or later.