PT-2026-30969 · Orangehrm · Orangehrm

Anurag Suri

·

Published

2026-04-07

·

Updated

2026-04-07

·

CVE-2026-39346

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions OrangeHRM versions 5.0 through 5.8
Description OrangeHRM Open Source versions 5.0 through 5.8 allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator.
Recommendations Update to version 5.8.1 or later.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2026-39346

Affected Products

Orangehrm