CVE-2026-44666
HRConvert2: Missing Sanitization enables Unauthenticated Remote Command Execution
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString() function in convertCore.php is missing backtick (`) and tab (\t) from its strip list. User input then reaches shell_exec(), where the shell interprets these characters and commands within filenames execute. This vulnerability is fixed in 3.3.8.
| CWE | CWE-78 |
| Vendor | zelon88 |
| Product | hrconvert2 |
| Published | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for zelon88 hrconvert2
Be the first to know when new unknown vulnerabilities affecting zelon88 hrconvert2 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
zelon88 / HRConvert2
< 3.3.8