CVE-2026-39347
OrangeHRM's Self‑Appraisal Submission of Admin Users Can Be Modified After CompletionOrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal records. This vulnerability is fixed in 5.8.1.
We have discovered 9 live websites that are affected by CVE-2026-39347.
Affected Software
| Product | |
| Category | Talent Management System |
| Vulnerable Domains | 9 live websites (100% of OrangeHRM install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 2 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-285 Improper AuthorizationDetails
- Published - Apr 7, 2026
- Updated - Apr 9, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-39347 United States | 3 websites |
 Bangladesh | 1 websites |
 Germany | 1 websites |
 GB | 1 websites |
 India | 1 websites |
 Nigeria | 1 websites |
 Zambia | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2026-39347| .com | 4 websites |
| .net | 1 websites |
| .org | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-39347
Top websites that are affected by CVE-2026-39347. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.org | GB | *,***,*** | |
| ***.***.zm | Zambia | *,***,*** | |
| ***************.*************.com | United States | **,***,*** | |
| ****.*****.**.in | India | **,***,*** | |
| ***.*******************.***.ng | Nigeria | **,***,*** | |
| ***************.com | United States | **,***,*** | |
| *********.net | Germany | **,***,*** | |
| *********.com | Bangladesh | ***,***,*** | |
| ************.com | United States | ***,***,*** |
FAQ
CVE-2026-39347 is Improper Authorization in OrangeHRM
A total of 9 websites have been identified as vulnerable to CVE-2026-39347, based on global website indexing conducted by WebTechSurvey.
The OrangeHRM is affected by the CVE-2026-39347 vulnerability.
OrangeHRM versions up to 5.8.1 are vulnerable to CVE-2026-39347.
CVE-2026-39347 is resolved in version 5.8.1 of OrangeHRM.