NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-44666

Summary	HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool. Prior to 3.3.8, the sanitizeString() function in convertCore.php is missing backtick (`) and tab (\t) from its strip list. User input then reaches shell_exec(), where the shell interprets these characters and commands within filenames execute. This vulnerability is fixed in 3.3.8.
Publication Date	May 15, 2026, 6:16 a.m.
Registration Date	May 17, 2026, 4:11 a.m.
Last Update	May 16, 2026, 12:16 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/zelon88/HRConvert2/releases/tag/v3.3.8	security-advisories@github.com
2	https://github.com/zelon88/HRConvert2/security/advisories/GHSA-f74g-4wj8-j35h	security-advisories@github.com
3	https://github.com/zelon88/HRConvert2/security/advisories/GHSA-f74g-4wj8-j35h	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-78	OSコマンド・インジェクション	https://cwe.mitre.org/data/definitions/78.html