CVE-2026-24741

Name of the Vulnerable Software and Affected Versions ConvertX versions prior to 0.17.0

Description ConvertX is a self-hosted online file converter. The POST /delete endpoint uses a user-controlled filename value to construct a filesystem path and deletes it via the unlink function without sufficient validation. An attacker can supply path traversal sequences (e.g., ../) in the filename parameter to delete arbitrary files outside the intended uploads directory, limited by the permissions of the server process. The vulnerable parameter is filename.

Recommendations Update to version 0.17.0 or later.