CVE-2026-44666

Root

Cause

The sanitizeString() function in convertCore.php fails to strip backtick (` `) and tab (\t) characters from user input, allowing them to pass into shell_exec()` calls [1]. This missing sanitization enables an attacker to inject shell metacharacters that the shell interprets, leading to arbitrary command execution.

Exploitation

Two attack vectors are identified [1]:

1. Backtick Injection: Uploading a file with a filename containing backticks (e.g., ` xid.png ) causes the shell to execute the enclosed command (here, id) before the convert` command runs.

1. Tab Injection: Providing an extension containing a tab character (e.g., jpg<TAB>shell.php) results in shell_exec() writing output to both the intended file and an additional file. If the uploaded PNG contains PHP code in metadata, the resulting shell.php can be accessed and executed via the web server.

Both vectors require no authentication and can be exploited by uploading a crafted file and triggering conversion.

Impact

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary commands as the www-data user, potentially leading to complete server compromise [2]. The attack can be used to drop webshells, exfiltrate data, or pivot to internal networks.

Mitigation

The vulnerability is fixed in HRConvert2 version 3.3.8 [2]. All users running versions prior to 3.3.8 are strongly advised to upgrade immediately. No workarounds are available.