Critical OS Command Injection Vulnerability CVE-2026-44666 Affects zelon88 HRConvert2 Users Urgent Patch Required

A critical remote code execution vulnerability has been identified in zelon88 HRConvert2, affecting all versions prior to 3.3.8. The flaw, tracked as CVE-2026-44666, stems from improper neutralization of special elements in the sanitizeString() function, specifically mishandling backtick and tab characters. Security researchers warn that successful exploitation could grant attackers full server compromise, making immediate patching a priority for any organization running the affected software.

The vulnerability resides in how HRConvert2's input sanitization process handles certain character sequences. By injecting malicious payloads containing backticks and tab characters, an attacker can bypass the application's sanitization barriers and execute arbitrary operating system commands on the underlying host. This class of vulnerability, categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), represents a severe risk given its potential for complete system takeover without requiring authentication.

Organizations using HRConvert2 versions below 3.3.8 should treat this as a critical priority and apply the vendor-provided patch immediately. Given the public disclosure of technical details, including the specific vulnerable function and character handling issues, the window for opportunistic exploitation by threat actors is likely narrowing. Security teams are advised to audit their environments for any exposed HRConvert2 instances and implement compensating controls as a stopgap measure while patching is underway.