CVE-2026-24741HIGH 8.1EPSS p32.4%

CVE-2026-24741CVE-2026-24741

Description

ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.41% probability of exploitation · percentile 32.4% · 2026-06-19T12:03:05Z
Published2026-01-27
Last modified2026-02-12

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77
  2. https://github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jp

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66449
CVE
CVE-2026-36726
CVE
CVE-2026-34728
CVE
CVE-2025-8141
CVE
CVE-2026-45230
CVE
CVE-2025-13322
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.