Which versions of HRConvert2 are affected by CVE-2026-44666?

CVE-2026-44666 is a critical remote code execution vulnerability in HRConvert2 self-hosted file conversion servers that allows unauthenticated attackers to execute arbitrary commands via maliciously…. A patch is available.

HRConvert2 CVE-2026-44666

Q: What is the CVSS score of CVE-2026-44666?

CVE-2026-44666 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-30480 CRITICAL

OS Command Injection (CWE-78)

2026-05-14 security-advisories@github.com

PHP Command Injection

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 14, 2026 - 22:02 EUVD

Source Code Evidence Fetched

May 14, 2026 - 22:01 vuln.today

Analysis Generated

May 14, 2026 - 22:01 vuln.today

CVE Published

May 14, 2026 - 21:16 nvd

CRITICAL 9.3

DescriptionNVD

HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString() function in convertCore.php is missing backtick (`) and tab (\t) from its strip list. User input then reaches shell_exec(), where the shell interprets these characters and commands within filenames execute. This vulnerability is fixed in 3.3.8.

AnalysisAI

Remote code execution in HRConvert2 self-hosted file conversion server allows unauthenticated attackers to execute arbitrary commands via shell metacharacters in filenames. The sanitizeString() function in convertCore.php fails to filter backticks and tab characters before passing user input to shell_exec(), enabling command injection that executes in the web server context (www-data). …

RemediationAI

Within 24 hours: Identify all HRConvert2 instances in your environment and document current versions; disable or isolate HRConvert2 from untrusted networks if feasible. Within 7 days: Implement network access controls restricting HRConvert2 to trusted users only; monitor web server logs for suspicious filename patterns (backticks, tab characters, command substitution syntax) and process activity from the www-data user context. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44666 vulnerability details – vuln.today

Back

HRConvert2 CVE-2026-44666

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

HRConvert2 CVE-2026-44666

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code