Critical severityNVD Advisory· Published May 14, 2026· Updated May 15, 2026
CVE-2026-44666
CVE-2026-44666
Description
HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString() function in convertCore.php is missing backtick (`) and tab (\t) from its strip list. User input then reaches shell_exec(), where the shell interprets these characters and commands within filenames execute. This vulnerability is fixed in 3.3.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <3.3.8
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.