OrangeHRM Inc. is committed to safeguarding the security and integrity of its software products and services. Any security testing must strictly adhere to our Vulnerability Disclosure Policy. Unauthorized testing, including activities conducted without prior review of and compliance with this policy, is strictly prohibited and may result in legal action. All identified security vulnerabilities or related concerns must be reported exclusively to: ossecurity@orangehrm.com.
Security: orangehrm/orangehrm
Security
SECURITY.md
-
Improper Authorization Allows Unauthorized Access to Interview AttachmentsGHSA-v32g-r8xx-4g6g published
Nov 28, 2025 by RajithaKumaraModerate -
Improper Authorization Allows Unauthorized Access to Candidate AttachmentsGHSA-qf8r-c54j-jw88 published
Nov 28, 2025 by RajithaKumaraModerate -
Persistent Session Access Caused by Missing Invalidation After User Disable and Password ChangeGHSA-99qp-xh4q-pr9x published
Nov 28, 2025 by RajithaKumaraHigh -
Account Takeover Through Unvalidated Username in Password Reset WorkflowGHSA-5ghw-9775-v263 published
Nov 28, 2025 by RajithaKumaraHigh -
Code Execution Through Arbitrary File Write from Sendmail Parameter InjectionGHSA-2w7w-h5wv-xr55 published
Nov 28, 2025 by RajithaKumaraCritical
Learn more about advisories related to orangehrm/orangehrm in the GitHub Advisory Database