CVE-2025-66449

HIGH

ConvertX <0.16.0 - Code Injection

Title source: llm

Description

ConvertXis a self-hosted online file converter. In versions prior to 0.16.0, the endpoint `/upload` allows an authenticated user to write arbitrary files on the system, overwriting binaries and allowing code execution. The upload function takes `file.name` directly from user supplied data without doing any sanitization on the name thus allowing for arbitrary file write. This can be used to overwrite system binaries with ones provided from an attacker allowing full code execution. Version 0.16.0 contains a patch for the issue.

References (3)

Scores

CVSS v3 8.8
EPSS 0.0013
EPSS Percentile 32.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-22 CWE-434 CWE-73
Status published

Affected Products (1)

c4illin/convertx < 0.16.0

Timeline

Published Dec 16, 2025
Tracked Since Feb 18, 2026