Overview CVE-2025-66290 is a security vulnerability affecting OrangeHRM versions 5.0 through 5.7. This flaw allows unauthorized access to recruitment attachments, such as resumes and cover letters, by authenticated users, even those with limited ESS (Employee Self-Service) access who should not have access to the Recruitment module. Technical Details The vulnerability stems from a missing authorization check in the application’s recruitment attachment retrieval endpoint. When an authenticated request is made to this endpoint, OrangeHRM validates the user’s session but fails to verify whether the user possesses the necessary permissions to access the Recruitment module and candidate data. This oversight enables any…

Overview A critical vulnerability, identified as CVE-2025-66289, has been discovered in OrangeHRM, a widely used human resource management (HRM) system. This vulnerability impacts versions 5.0 through 5.7. The core issue lies in the application’s failure to properly invalidate existing user sessions upon account disablement or password changes. This allows already active sessions to remain valid indefinitely, posing a significant security risk. Technical Details The vulnerability stems from a lack of session revocation or session-store cleanup mechanisms within OrangeHRM when critical state changes occur, specifically when a user account is disabled or when the user’s password is changed. As a result,…

Published: 2025-11-29 Overview CVE-2025-66225 describes a critical vulnerability affecting OrangeHRM, a widely used human resource management system. This flaw allows an attacker to potentially take over any user account, including administrator accounts, by manipulating the password reset workflow. Versions 5.0 through 5.7 of OrangeHRM are affected. A patch is available in version 5.8. Technical Details The vulnerability resides within the password reset functionality. Specifically, the system fails to properly validate the username provided during the final password reset request. Here’s how the attack works: An attacker initiates a password reset for *any* account for which they can intercept email (even…

Overview This article details a critical vulnerability, identified as CVE-2025-66224, affecting OrangeHRM, a widely used human resource management system. Versions 5.0 to 5.7 are vulnerable to an input-neutralization flaw in the mail configuration and delivery workflow. This allows attackers to potentially write arbitrary files on the server, which in turn could lead to Remote Code Execution (RCE) if the written files are accessible via the web. Technical Details The vulnerability stems from the lack of proper sanitization of user-controlled input within the mail-sending logic. Specifically, when configuring and sending emails, user-provided values are directly incorporated into the system’s `sendmail` command.…

Overview A critical security vulnerability, identified as CVE-2025-65892, has been discovered in krpano versions prior to 1.23.2. This vulnerability is a Reflected Cross-Site Scripting (rXSS) flaw that could allow a remote, unauthenticated attacker to execute arbitrary JavaScript code in the browser of an unsuspecting user. This is achieved through a specially crafted URL targeting the `passQueryParameters` function when the `xml` parameter is enabled. Users of krpano are strongly advised to update to version 1.23.2 or later immediately. Technical Details The vulnerability lies within the `passQueryParameters` function of krpano. When the `xml` parameter is enabled, the function doesn’t properly sanitize user-supplied…

Overview A critical security vulnerability, identified as CVE-2025-65540, has been discovered in xmall version 1.1. This vulnerability involves multiple Cross-Site Scripting (XSS) flaws stemming from the application’s failure to properly sanitize or encode user-supplied data before rendering it in HTML. This oversight allows attackers to inject and execute malicious scripts within the context of vulnerable pages. Technical Details The XSS vulnerabilities are present in user input fields such as username and description. These fields accept user-provided data, which is then directly included in HTML output without adequate sanitization. An attacker can exploit this by injecting malicious JavaScript code into these…

Overview CVE-2025-66223 identifies a critical broken access control vulnerability within OpenObserve, a cloud-native observability platform. Specifically, organization invitation tokens did not expire and remained valid even after a user was removed or demoted, allowing them to potentially regain access or escalate their privileges. This issue affects versions prior to 0.16.0. This article details the vulnerability, its potential impact, and the necessary steps for mitigation. Technical Details The vulnerability stems from the way OpenObserve handles organization invitations. Before version 0.16.0, when an administrator invited a user to join an organization, the generated invitation token would persist indefinitely. Furthermore, multiple invitations with…

Overview CVE-2025-66221 describes a security vulnerability in Werkzeug, a comprehensive WSGI web application library. Specifically, the safe_join function, when used in conjunction with send_from_directory on Windows operating systems, can lead to a denial-of-service (DoS) condition. This occurs because safe_join incorrectly handles path segments containing Windows device names (e.g., CON, AUX). This vulnerability is patched in Werkzeug version 3.1.4. Technical Details On Windows systems, certain device names like “CON,” “AUX,” “PRN,” “NUL,” “COM1,” “COM2,” etc. are reserved and implicitly exist in every directory. When Werkzeug’s safe_join function processes a path ending with such a device name, it fails to properly sanitize…

Overview CVE-2025-66217 identifies a critical vulnerability in AIS-catcher, a multi-platform AIS receiver, specifically affecting versions prior to 0.64. This flaw resides within the MQTT parsing logic and stems from an integer underflow. By exploiting this vulnerability, a malicious actor can trigger a substantial Heap Buffer Overflow through a carefully crafted MQTT packet containing a manipulated Topic Length field. This leads to an immediate Denial of Service (DoS) condition and, when AIS-catcher is employed as a library, severe memory corruption which could potentially be exploited for Remote Code Execution (RCE). Technical Details The vulnerability is rooted in the way AIS-catcher handles…

Overview A critical heap buffer overflow vulnerability has been identified in AIS-catcher, a multi-platform AIS receiver. This vulnerability, tracked as CVE-2025-66216, affects versions prior to 0.64. The issue resides within the AIS::Message class and allows a malicious actor to potentially overwrite sensitive memory, leading to unpredictable behavior or even remote code execution. Users of AIS-catcher are strongly advised to update to version 0.64 immediately. Technical Details CVE-2025-66216 is a heap buffer overflow vulnerability located in the AIS::Message class of AIS-catcher. Specifically, the vulnerability allows an attacker to write approximately 1KB of arbitrary data into a buffer that is only 128…