CVE-2025-66225HIGH 8.8EPSS p4.6%

CVE-2025-66225CVE-2025-66225

Description

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username without verification, the attacker can set a new password for any chosen account, including privileged accounts, resulting in full account takeover. This issue has been patched in version 5.8.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.15% probability of exploitation · percentile 4.6% · 2026-06-18T12:00:27Z
Published2025-11-29
Last modified2025-12-03

Underlying weaknesses· 3

CWE-20CWE-345CWE-640

References

  1. https://github.com/orangehrm/orangehrm/security/advisories/GHSA-5ghw-9775-v263

3

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live
WeaknessInsufficient Verification of Data Authenticitycwe-3450%live
WeaknessWeak Password Recovery Mechanism for Forgotten Passwordcwe-6400%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66289
CVE
CVE-2025-66224
CVE
CVE-2025-14975
CVE
CVE-2025-15030
CVE
CVE-2025-48986
CVE
CVE-2026-50635
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.