Primary

Context

OrangeHRM Sendmail Parameter Injection Vulnerability Leading to Arbitrary File Write and Code Execution

Vulnerability

Patched

A critical vulnerability in OrangeHRM versions 5.0 through 5.7 allows for arbitrary file writing and execution of attacker-controlled content. This issue arises from an input-neutralization flaw in the mail configuration and delivery workflow, where user-controlled values are directly injected into the system's sendmail command without proper sanitization. As a result, certain sendmail behaviors can be exploited during email processing to write files on the server. In cases where these files are placed in web-accessible locations, the vulnerability can be leveraged for code execution. The flaw has been patched in version 5.8.

Impact

Exploitation of this vulnerability allows for arbitrary file writing on the server, with potential execution of attacker-controlled content, especially if the written files are accessible via the web.

Remediation

Users can upgrade to OrangeHRM version 5.8 to address this vulnerability.

Added: Nov 29, 2025, 4:19 AM

Updated: Nov 29, 2025, 4:19 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

4.8

remediation

7.7

relevance

1.1

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

4.8

remediation

7.7

relevance

1.1

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OrangeHRM Sendmail Parameter Injection Vulnerability Leading to Arbitrary File Write and Code Execution

Vulnerability

Impact

Remediation

Affected Products

OrangeHRM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating