CVE-2026-44666 in HRConvert2
Summary
by MITRE • 05/15/2026
HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString() function in convertCore.php is missing backtick (`) and tab (\t) from its strip list. User input then reaches shell_exec(), where the shell interprets these characters and commands within filenames execute. This vulnerability is fixed in 3.3.8.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The HRConvert2 application presents a critical command injection vulnerability stemming from inadequate input sanitization within its core conversion functionality. This flaw exists in the sanitizeString() function located in convertCore.php, which fails to properly filter backtick characters and tab characters from user-supplied input. The vulnerability represents a direct failure in the application's defense-in-depth strategy, where input validation occurs at an insufficient level to prevent malicious code execution. The absence of these specific characters from the strip list creates a pathway for attackers to manipulate shell commands through filename manipulation, as the sanitized input subsequently flows into shell_exec() function calls without additional protection mechanisms.
The technical exploitation of this vulnerability follows a well-established pattern that aligns with common attack vectors described in the attack framework. When user input containing backtick or tab characters reaches the shell_exec() function, the underlying shell interprets these characters as command delimiters or special operators, enabling arbitrary command execution. This behavior directly maps to attack techniques categorized under command injection in the MITRE ATT&CK framework, specifically targeting the execution of arbitrary code through shell manipulation. The vulnerability demonstrates a classic lack of proper input validation and output encoding, where the application assumes that sanitized input is safe for shell execution without considering the context in which the data will be processed. The CWE catalog classifies this as a command injection vulnerability, specifically CWE-78, which occurs when a program passes untrusted data to an operating system command without proper sanitization.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it enables full system compromise through remote code execution. Attackers can leverage this flaw to execute arbitrary commands with the privileges of the web server process, potentially leading to complete system takeover, data exfiltration, or further network reconnaissance. The vulnerability affects all versions prior to 3.3.8, indicating that organizations running older versions face immediate risk exposure. The attack surface is particularly concerning given that HRConvert2 operates as a file conversion and sharing tool, where users frequently upload files with potentially malicious filenames, creating multiple entry points for exploitation. This vulnerability undermines the fundamental security assumptions of the application's architecture, as it demonstrates that even seemingly benign file operations can serve as attack vectors for system compromise.
Mitigation strategies must address both the immediate vulnerability and broader architectural weaknesses in the application's security design. The most direct solution involves updating to version 3.3.8 or later, which incorporates the necessary backtick and tab character filtering in the sanitizeString() function. Organizations should also implement additional defensive measures including input validation at multiple layers, output encoding for shell contexts, and the principle of least privilege for web server processes. The application should employ proper shell escaping mechanisms when executing system commands and avoid direct shell execution where possible. Security teams should conduct comprehensive code reviews focusing on input handling and shell command execution patterns, particularly examining similar functions across the codebase that may contain analogous vulnerabilities. Additionally, implementing web application firewalls and monitoring for suspicious command execution patterns can provide additional protection layers. The vulnerability serves as a reminder of the critical importance of context-aware input sanitization and the necessity of following secure coding practices that prevent the direct use of user input in shell contexts.