Vulnerability Details CVE-2026-39349
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data. This vulnerability is fixed in 5.8.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 2.9%
CVSS Severity
CVSS v3 Score 2.7
Products affected by CVE-2026-39349
-
cpe:2.3:a:orangehrm:orangehrm:5.0
-
cpe:2.3:a:orangehrm:orangehrm:5.1
-
cpe:2.3:a:orangehrm:orangehrm:5.2
-
cpe:2.3:a:orangehrm:orangehrm:5.3
-
cpe:2.3:a:orangehrm:orangehrm:5.4
-
cpe:2.3:a:orangehrm:orangehrm:5.5
-
cpe:2.3:a:orangehrm:orangehrm:5.6
-
cpe:2.3:a:orangehrm:orangehrm:5.6.1
-
cpe:2.3:a:orangehrm:orangehrm:5.7
-
cpe:2.3:a:orangehrm:orangehrm:5.8