CVE-2026-24741

ConvertX, a self-hosted online file converter, is affected by CVE-2026-24741 in versions prior to 0.17.0. The vulnerability resides in the POST /delete endpoint, which constructs a filesystem path using a user-controlled filename parameter and deletes the file via the unlink function without adequate validation. This enables path traversal attacks, such as supplying sequences like "../", allowing deletion of arbitrary files outside the intended uploads directory. The issue is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity and no user interaction required. By crafting a malicious filename in the POST request, the attacker can traverse directories and delete sensitive files on the server, such as configuration files, logs, or other critical data. The impact is confined to the permissions of the server process, resulting in high integrity (I:H) and availability (A:H) damage but no confidentiality loss (C:N).

The GitHub security advisory (GHSA-w372-w6cr-45jp) and fixing commit (7a936bdc0463936463616381ca257b13babc5e77) confirm that upgrading to version 0.17.0 resolves the issue through improved path validation in the delete endpoint. Security practitioners should prioritize patching affected ConvertX instances and review access controls for the delete functionality to mitigate risks from privileged users.