RCE in Zelon88 Hrconvert2
CVE-2026-44666
HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString() function in convertCore.php is missing backtick (`) and tab (\t) from its strip list. User input then reaches shel…
Vulnerability class: Command Injection (OS Command Injection)
EPSS: 0.001 (19.5th percentile) — read the EPSS interpretation.
Affected products
- Zelon88 Hrconvert2 — versions < 3.3.8
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)