The Apache OpenMeetings web conferencing application has been found to have several security vulnerabilities due to unexpected application states, including weak hash comparison, unrestricted access via invitation hash, and null-byte injection. These vulnerabilities allow attackers to combine them with additional code vulnerabilities to hijack an OpenMeetings instance and execute commands on the underlying server. The vulnerabilities were discovered through a combination of analysis and testing, and all three issues have been addressed in Apache OpenMeetings version 7.1.0. The fix for the weak hash comparison issue involves adding an additional check to prevent wildcard characters from being used, while the unrestricted access via invitation hash is mitigated by adjusting the `setUser` method to prevent derived permissions when the rights set is empty. The null-byte injection is fixed by validating the configured path using the `Path.of` method, which throws an `InvalidPathException` if a null-byte is present. The vulnerabilities highlight the importance of following Clean Code principles and ensuring that applications behave as expected under various conditions to reduce the risk of introducing security vulnerabilities.