CVE Catalog

CVE-2026-44666

Critical
Published: Translated: NVD NIST

Summary

HRConvert2 prior to version 3.3.8 has a vulnerability in the sanitizeString() function that does not remove backtick (`) and tab ( ) characters. As a result, user input can reach shell_exec(), allowing commands within filenames to be executed.

Risk Assessment

Exploitation of this vulnerability could lead to unauthorized command execution on the server, posing a serious security threat to the system.

Recommendation

It is recommended to upgrade to version 3.3.8 or later to eliminate this vulnerability and secure the server against potential attacks.

Original NVD description (English source)

HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString() function in convertCore.php is missing backtick (`) and tab (\t) from its strip list. User input then reaches shell_exec(), where the shell interprets these characters and commands within filenames execute. This vulnerability is fixed in 3.3.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS