External risk intelligence

Attacker can run any command on HRConvert2 by uploading a malicious file.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-44666

A vulnerability in HRConvert2 allows anyone to run commands on the server by uploading a file with a malicious name. This could lead to a full system compromise. Update to version 3.3.8.

4Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-44666

The vulnerability exists in a web-based file conversion and sharing application. Such tools are typically deployed as network-accessible services specifically to facilitate file uploads from users, making internet or wide-network exposure a standard and expected deployment pattern for this type of software.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in HRConvert2 allows remote code execution by processing special characters in filenames. Because the input sanitization is incomplete, specially crafted filenames can lead to unauthorized commands being run on the server, potentially compromising the entire system.

  • Remote code execution is possible.
  • Affects self-hosted file conversion servers.
  • Requires no prior access to exploit.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by uploading a specially crafted filename to the HRConvert2 server. Since the server processes filenames directly through a shell command without proper sanitization, the attacker could embed malicious commands within the filename. These commands would then be executed by the server's operating system, leading to potential compromise of the server.

  • No authentication required.
  • Vulnerable file upload functionality.
  • Malicious command in filename.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to execute arbitrary commands by crafting malicious filenames. Given that HRConvert2 is a self-hosted, drag-and-drop tool for file conversion and sharing, it's often exposed to the internet or wide networks to allow users to upload files. This exposure, combined with the ease of exploitation and critical impact, makes it an attractive target.

  • Exploit code is readily available.
  • Public exploits exist for this vulnerability.
  • It is a critical command execution flaw.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize investigating and isolating HRConvert2 instances, as unauthenticated remote code execution via crafted filenames is a critical risk. Given the widespread nature of self-hosted tools and the direct command execution, actively exploited status is a strong possibility.

  • Update HRConvert2 to version 3.3.8.
  • Block or restrict access to HRConvert2 endpoints.
  • Monitor for unusual shell process activity.

Frequently asked questions

What is HRConvert2 and what is it used for?

HRConvert2 is a self-hosted tool that allows users to convert and share files. It functions as a drag-and-drop server and uses a NoSQL database. People typically use it to process and manage various file types easily.

How does the CVE-2026-44666 vulnerability work?

This vulnerability, related to CWE-78 (OS Command Injection), occurs because HRConvert2's sanitizeString() function does not strip certain characters, like backticks and tabs, from filenames. When a user uploads a file with a specially crafted filename containing these characters, the server passes it to shell_exec(), allowing the operating system to interpret and execute commands embedded within the filename.

What are the conditions needed to exploit this vulnerability?

An attacker can exploit this by uploading a file with a malicious filename to the HRConvert2 server. No prior access or authentication is required. The vulnerability is triggered when the server processes this specially crafted filename through its shell execution function without adequate sanitization.

Who should be concerned about this threat?

This vulnerability is likely to be internet-facing, meaning it could be accessible from the internet. Anyone running HRConvert2 instances, especially those exposed to external networks, should be concerned due to the potential for unauthorized command execution on their servers.

What is the first step to address this CVE?

The recommended first step is to update HRConvert2 to version 3.3.8, where this vulnerability is fixed. If immediate updating is not possible, consider blocking or restricting access to HRConvert2 endpoints as a mitigating measure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified