ByteOS Network

CVE Vulnerability Details :

CVE-2026-39349

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-07 Apr, 2026 | 18:22

Updated At-07 Apr, 2026 | 19:27

▼CVE Numbering Authority (CNA)

OrangeHRM Uses AES-ECB for Sensitive Data Encryption Enables Pattern Disclosure

OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data. This vulnerability is fixed in 5.8.1.

Affected Products

Vendor

orangehrm

Product

orangehrm

Versions

Affected

>= 5.0, < 5.8.1

Problem Types

Type	CWE ID	Description
CWE	CWE-326	CWE-326: Inadequate Encryption Strength

Type: CWE

CWE ID: CWE-326

Description: CWE-326: Inadequate Encryption Strength

Metrics

Version	Base score	Base severity	Vector
4.0	2.1	LOW	CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Version: 4.0

Base score: 2.1

Base severity: LOW

Vector:

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

Hyperlink	Resource
https://github.com/orangehrm/orangehrm/security/advisories/GHSA-g29m-3jgj-gprg	x_refsource_CONFIRM

Hyperlink: https://github.com/orangehrm/orangehrm/security/advisories/GHSA-g29m-3jgj-gprg

Resource:

x_refsource_CONFIRM

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References