QwikSec

Security Database

CVE

CWE

Training

CVE-2026-44666

Published: May 14, 2026

Modified: May 15, 2026

PUBLISHED

Description

HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString() function in convertCore.php is missing backtick (`) and tab (\t) from its strip list. User input then reaches shell_exec(), where the shell interprets these characters and commands within filenames execute. This vulnerability is fixed in 3.3.8.

Vendor	Product	Versions
zelon88	HRConvert2	affected `< 3.3.8`

Weaknesses (CWE)

References

https://github.com/zelon88/HRConvert2/security/advisories/GHSA-f74g-4wj8-j35h

x_refsource_CONFIRM

https://github.com/zelon88/HRConvert2/releases/tag/v3.3.8

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.