CVE-2025-66290

low-risk
Published 2025-11-29

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no permission to view the Recruitment module, can directly access candidate attachment URLs. When an authenticated request is made to the attachment endpoint, the system validates the session but does not confirm that the requesting user has the necessary recruitment permissions. As a result, any authenticated user can download CVs and other uploaded documents for arbitrary candidates by issuing direct requests to the attachment endpoint, leading to unauthorized exposure of sensitive applicant data. This issue has been patched in version 5.8.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Orangehrm

References (1)

Vendor Advisory https://github.com/orangehrm/orangehrm/security/advisories/GHSA-qf8r-c54j-jw88
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal