External risk intelligence

HRConvert2 could allow external attackers to gain full system control.

HRConvert2 file conversion servers could allow external attackers to execute unintended commands. This could result in the compromise of operational systems or sensitive files managed by the platform.

NVD published May 14, 2026 (12 hours ago)

External risk briefCRITICAL

CVE-2026-44666

Halo Surface Signal

4/ 5

HRConvert2 is a web-based file conversion and sharing server. Such applications are commonly deployed as internet-facing services to facilitate remote file uploads and processing, making exposure to the public internet a standard deployment pattern for this type of software.

Exposure facts

CVSS

9.3

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

H – Horizon Alert

The HRConvert2 file conversion tool contains a security flaw where it fails to adequately filter specific characters in user-provided filenames. This oversight allows the system to inadvertently process and run unintended commands when handling files. Consequently, this vulnerability could enable unauthorized command execution on the server hosting the application, posing a potential risk to the integrity of your systems and data.

A – Asset Exposure

This issue affects the HRConvert2 self-hosted file conversion and sharing server. If this tool is deployed within your environment, an issue with how input is processed could allow for unauthorized command execution on the host server. Depending on the deployment, this could lead to the compromise of operational systems or unauthorized access to sensitive files managed by the server. Because this is a self-hosted utility, the specific level of exposure depends on whether the organization has configured the service for internal use or made it accessible via the public internet.

L – Live Threat

Current threat intelligence for this file conversion utility indicates no evidence of active exploitation or known targeting in the wild. We have not identified any public exploit code or proof-of-concept activity associated with this vulnerability. The available context does not indicate that this issue is currently being leveraged by threat actors.

O – Operational Fix

The security team recommends applying the latest vendor update for HRConvert2 to address a vulnerability involving how user input is processed. Please ensure your technical team applies this update to protect your system from potential unauthorized command execution. Following the installation, we advise validating that the tool remains configured according to your established security standards.