Unrated severityOSV Advisory· Published Jan 27, 2026· Updated Jan 28, 2026
ConvertX Vulnerable to Arbitrary File Deletion via Path Traversal in `POST /delete`
CVE-2026-24741
Description
ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the POST /delete endpoint uses a user-controlled filename value to construct a filesystem path and deletes it via unlink without sufficient validation. By supplying path traversal sequences (e.g., ../), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77mitrex_refsource_MISC
- github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jpmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.