Unrated severityOSV Advisory· Published Jan 27, 2026· Updated Jan 28, 2026
ConvertX Vulnerable to Arbitrary File Deletion via Path Traversal in `POST /delete`
CVE-2026-24741
Description
ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the POST /delete endpoint uses a user-controlled filename value to construct a filesystem path and deletes it via unlink without sufficient validation. By supplying path traversal sequences (e.g., ../), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77mitrex_refsource_MISC
- github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jpmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.