Uncontrolled File Retrieval in OrangeHRM Human Resource Management System
CVE-2025-66291

5.3MEDIUM

Key Information:

Vendor: Orangehrm
Status: Orangehrm
Vendor: CVE Published:; 29 November 2025

What is CVE-2025-66291?

The OrangeHRM system contains a critical vulnerability within the Recruitment module, where the interview attachment retrieval endpoint can serve files based solely on an authenticated session and user-supplied identifiers. This lack of proper authorization checks allows unauthorized users, such as those with ESS-level access, to directly request and access confidential interview-related files, including candidate CVs and evaluations. The vulnerability arises due to the system's reliance on predictable object identifiers and session presence without validating user association with the recruitment process. A patch has been released in version 5.8 to address this issue.

Affected Version(s)

orangehrm >= 5.0, < 5.8

References

https://github.com/orangehrm/orangehrm/security/advisorie...

x_refsource_CONFIRM

https://github.com/orangehrm/orangehrm/commit/647133d0fdd...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 29, 2025
Vulnerability Reserved
Nov 26, 2025

CVE-2025-66291 Data

JSON

Orangehrm

What is CVE-2025-66291?

Affected Version(s)

References

CVSS V4

Timeline