VYPR
Unrated severityOSV Advisory· Published Jan 27, 2026· Updated Jan 28, 2026

ConvertX Vulnerable to Arbitrary File Deletion via Path Traversal in `POST /delete`

CVE-2026-24741

Description

ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the POST /delete endpoint uses a user-controlled filename value to construct a filesystem path and deletes it via unlink without sufficient validation. By supplying path traversal sequences (e.g., ../), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • C4illin/ConvertxOSV2 versions
    v0.1.1, v0.1.2, v0.10.0, …+ 1 more
    • (no CPE)range: v0.1.1, v0.1.2, v0.10.0, …
    • (no CPE)range: <0.17.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.

CVE-2026-24741 · VYPR