CVE-2025-66224

Name of the Vulnerable Software and Affected Versions OrangeHRM versions 5.0 through 5.7

Description OrangeHRM contains an input-neutralization flaw in its mail configuration and delivery workflow. User-controlled values are not sanitized before being used in the system’s sendmail command, allowing unintended sendmail behaviors during email processing. This can lead to the application writing files on the server, potentially enabling execution of attacker-controlled content if those files are in web-accessible locations. The issue arises from constructing OS-level command strings using unsanitized input within the mail-sending logic. The vulnerable component involves the

sendmail

command and its parameters.

Recommendations Upgrade to OrangeHRM version 5.8 or later.