CVE-2026-39345
Received Received - Intake
Local File Read via Email Template Path in OrangeHRM

Publication date: 2026-04-07

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary local files. This vulnerability is fixed in 5.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39345
EUVD
EUVD-2026-19855
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
orangehrm orangehrm From 5.0 (inc) to 5.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39345 is a vulnerability in OrangeHRM Open Source versions 5.0 through 5.8 where the system fails to properly restrict the resolution of email template file paths to the intended plugins directory.

This flaw allows an authenticated user with high privileges who can influence the email template path to perform a path traversal attack, enabling them to read arbitrary local files on the server.

The vulnerability arises because the software does not properly sanitize special path elements like "../", allowing access outside the restricted directory.

It was fixed in version 5.8.1 of OrangeHRM.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user with elevated privileges to read arbitrary local files on the server hosting OrangeHRM.

While the initial confidentiality impact is low, the ability to read arbitrary files can lead to exposure of sensitive or confidential information stored on the server, which can have serious consequences.

There is no direct impact on system integrity or availability from this vulnerability.

Detection Guidance

This vulnerability can be detected by verifying if your OrangeHRM Open Source installation is running a version between 5.0 and 5.8 inclusive, as these versions are affected.

Since the vulnerability involves an authenticated user with high privileges manipulating the email template path to read arbitrary local files, detection can involve checking for unusual or unauthorized access patterns to email template files or attempts to access files outside the intended plugins directory.

Specific commands are not provided in the available resources, but general detection steps could include:

  • Reviewing application logs for suspicious template path parameters or file access attempts.
  • Using file integrity monitoring tools to detect unexpected file reads or accesses.
  • Checking the version of OrangeHRM installed by running commands like `dpkg -l | grep orangehrm` on Debian-based systems or inspecting the application version via its interface or deployment metadata.
Mitigation Strategies

The immediate and most effective mitigation step is to upgrade OrangeHRM Open Source to version 5.8.1 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the application to only trusted authenticated users with high privileges, as the vulnerability requires such privileges to be exploited.

Additionally, monitor and audit email template path usage and file access patterns to detect any attempts to exploit the vulnerability.

Compliance Impact

This vulnerability allows an authenticated user with high privileges to read arbitrary local files on the server, potentially exposing confidential information stored on the system.

Such unauthorized disclosure of sensitive data could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39345. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart