Path Traversal in Orangehrm

CVE-2026-39345

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influen…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (17.8th percentile) — read the EPSS interpretation.

Affected products

Orangehrm — versions >= 5.0, < 5.8.1

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/orangehrm/orangehrm/security/advisories/GHSA-xq24-qv66-9v3m (x_refsource_CONFIRM)