Home > Vulnerability Database > CVE-2025-66225

Mend.io Vulnerability Database

CVE-2025-66225

Good to know:

Date: November 28, 2025

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username without verification, the attacker can set a new password for any chosen account, including privileged accounts, resulting in full account takeover. This issue has been patched in version 5.8.

Severity Score

8.8

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66225

Url: https://github.com/orangehrm/orangehrm/security/advisories/GHSA-5ghw-9775-v263

Url: https://www.mend.io/vulnerability-database/CVE-2025-66225

Severity Score

8.8

Weakness Type (CWE)

Improper Input Validation

CWE-20

Insufficient Verification of Data Authenticity

CWE-345

Weak Password Recovery Mechanism for Forgotten Password

CWE-640

Top Fix

Upgrade Version

Upgrade to version https://github.com/orangehrm/orangehrm.git - v5.8

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66225

Good to know:

Date: November 28, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?