PT-2026-30971 · Orangehrm · Orangehrm
Sami Ozcan
·
Published
2026-04-07
·
Updated
2026-04-07
·
CVE-2026-39348
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OrangeHRM versions 5.0 through 5.8
Description
OrangeHRM Open Source versions 5.0 through 5.8 lack authorization checks on job specification and vacancy attachment download handlers. This allows authenticated, low-privilege users to access attachments directly by referencing attachment identifiers.
Recommendations
Update to version 5.8.1 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Orangehrm