HRConvert2 is a file conversion and sharing tool that accepts user‑specified filenames. Prior to version 3.3.8, the sanitizeString() function omitted backticks (`) and tab ( ) from its list of characters to strip, meaning that user input could be forwarded to PHP’s shell_exec() without proper sanitization. As a result, a malicious user could construct a filename containing shell metacharacters and cause the server to execute an arbitrary command. This vulnerability permits unauthenticated remote command execution, compromising confidentiality, integrity, and availability of the affected system.

The affected product is HRConvert2 from vendor zelon88. Versions prior to 3.3.8 are vulnerable; the fix was introduced in release 3.3.8. No information on specific build numbers or operating systems is given, so all installations running an earlier release should be considered exposed.

The CVSS score of 9.3 signals a critical vulnerability. While the EPSS score is not available, the lack of public exploitation and absence from the CISA KEV catalog suggest that the probability of an attacker successfully exploiting the flaw is uncertain, but the potential impact is catastrophic if a public instance is found. Attackers with unauthenticated remote access to HRConvert2 can take advantage of the missing sanitization in convertCore.php; a specially crafted filename containing backticks or tab characters will be passed to shell_exec, allowing execution of arbitrary shell commands. This leads to full compromise of the host, including data theft, manipulation, and service disruption.