Injection Vulnerability in HRConvert2 by Zelon88
CVE-2026-44666

9.3CRITICAL

Key Information:

Vendor: Zelon88
Status: Hrconvert2
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-44666?

The HRConvert2 application, a self-hosted file conversion server by Zelon88, contains a vulnerability due to the improper handling of user input in the sanitizeString() function. Versions prior to 3.3.8 allow backtick (`) and tab ( ) characters to be processed, leading to potential command execution through the shell_exec() function. This can compromise the functionality of the server, making it crucial for users to upgrade to version 3.3.8 or later to mitigate this risk.

Affected Version(s)

HRConvert2 < 3.3.8

References

https://github.com/zelon88/HRConvert2/security/advisories...

x_refsource_CONFIRM

https://github.com/zelon88/HRConvert2/releases/tag/v3.3.8

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44666 Data

JSON