CVE-2026-44666 | THREATINT

Description

HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString() function in convertCore.php is missing backtick (`) and tab (\t) from its strip list. User input then reaches shell_exec(), where the shell interprets these characters and commands within filenames execute. This vulnerability is fixed in 3.3.8.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-14 | Updated 2026-05-15 | Assigner GitHub_M

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

< 3.3.8

affected

References

github.com/...nvert2/security/advisories/GHSA-f74g-4wj8-j35h exploit

github.com/...nvert2/security/advisories/GHSA-f74g-4wj8-j35h

github.com/zelon88/HRConvert2/releases/tag/v3.3.8

cve.org (CVE-2026-44666)

nvd.nist.gov (CVE-2026-44666)

Download JSON