QwikSec

Security Database

CVE

CWE

Training

CVE-2026-39345

Published: Apr 7, 2026

Modified: Apr 7, 2026

PUBLISHED

Description

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary local files. This vulnerability is fixed in 5.8.1.

Vendor	Product	Versions
orangehrm	orangehrm	affected `>= 5.0, < 5.8.1`

Weaknesses (CWE)

References

https://github.com/orangehrm/orangehrm/security/advisories/GHSA-xq24-qv66-9v3m

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.