CVE-2025-66224

Name of the Vulnerable Software and Affected Versions OrangeHRM versions 5.0 through 5.7

Description OrangeHRM, a human resource management system, contains an input-neutralization flaw in its mail configuration and delivery workflow. User-controlled values are not properly sanitized before being used in the system’s sendmail command. This allows for the potential invocation of unintended sendmail behaviors during email processing, enabling the application to write files on the server. If these files are placed in web-accessible locations, it may lead to the execution of attacker-controlled content. The root cause is the construction of OS-level command strings with unsanitized input within the mail-sending logic.

Recommendations OrangeHRM versions 5.0 through 5.7 should be updated to version 5.8 or later.