Vulnerability Details CVE-2026-39346
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This vulnerability is fixed in 5.8.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.6%
CVSS Severity
CVSS v3 Score 5.4
Products affected by CVE-2026-39346
-
cpe:2.3:a:orangehrm:orangehrm:5.0
-
cpe:2.3:a:orangehrm:orangehrm:5.1
-
cpe:2.3:a:orangehrm:orangehrm:5.2
-
cpe:2.3:a:orangehrm:orangehrm:5.3
-
cpe:2.3:a:orangehrm:orangehrm:5.4
-
cpe:2.3:a:orangehrm:orangehrm:5.5
-
cpe:2.3:a:orangehrm:orangehrm:5.6
-
cpe:2.3:a:orangehrm:orangehrm:5.6.1
-
cpe:2.3:a:orangehrm:orangehrm:5.7
-
cpe:2.3:a:orangehrm:orangehrm:5.8