Vulnerability Details CVE-2026-39348
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifiers. This vulnerability is fixed in 5.8.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.6%
CVSS Severity
CVSS v3 Score 4.3
Products affected by CVE-2026-39348
-
cpe:2.3:a:orangehrm:orangehrm:5.0
-
cpe:2.3:a:orangehrm:orangehrm:5.1
-
cpe:2.3:a:orangehrm:orangehrm:5.2
-
cpe:2.3:a:orangehrm:orangehrm:5.3
-
cpe:2.3:a:orangehrm:orangehrm:5.4
-
cpe:2.3:a:orangehrm:orangehrm:5.5
-
cpe:2.3:a:orangehrm:orangehrm:5.6
-
cpe:2.3:a:orangehrm:orangehrm:5.6.1
-
cpe:2.3:a:orangehrm:orangehrm:5.7
-
cpe:2.3:a:orangehrm:orangehrm:5.8