CVE-2026-24741

HIGH

ConvertX < 0.17.0 - Path Traversal and Arbitrary File Deletion via Delete Endpoint

Title source: llm
STIX 2.1

Description

ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue.

Scores

CVSS v3 8.1
EPSS 0.0041
EPSS Percentile 32.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (1)
c4illin/convertx < 0.17.0
Published Jan 27, 2026
Tracked Since Feb 18, 2026