{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24741", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-26T19:06:16.059Z", "datePublished": "2026-01-27T21:11:57.295Z", "dateUpdated": "2026-01-28T15:14:23.019Z"}, "containers": {"cna": {"title": "ConvertX Vulnerable to Arbitrary File Deletion via Path Traversal in `POST /delete`", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jp"}, {"name": "https://github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77", "tags": ["x_refsource_MISC"], "url": "https://github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77"}], "affected": [{"vendor": "C4illin", "product": "ConvertX", "versions": [{"version": "< 0.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T21:11:57.295Z"}, "descriptions": [{"lang": "en", "value": "ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue."}], "source": {"advisory": "GHSA-w372-w6cr-45jp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T15:13:55.350126Z", "id": "CVE-2026-24741", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:14:23.019Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24741", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T15:13:55.350126Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:14:03.848Z"}}], "cna": {"title": "ConvertX Vulnerable to Arbitrary File Deletion via Path Traversal in `POST /delete`", "source": {"advisory": "GHSA-w372-w6cr-45jp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "C4illin", "product": "ConvertX", "versions": [{"status": "affected", "version": "< 0.17.0"}]}], "references": [{"url": "https://github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jp", "name": "https://github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77", "name": "https://github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T21:11:57.295Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24741", "state": "PUBLISHED", "dateUpdated": "2026-01-28T15:14:23.019Z", "dateReserved": "2026-01-26T19:06:16.059Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T21:11:57.295Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:c4illin:convertx:*:*:*:*:*:*:*:*", "matchCriteriaId": "A579687A-7D3D-4486-8E38-458C0272DB33", "versionEndExcluding": "0.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue."}], "id": "CVE-2026-24741", "lastModified": "2026-02-12T21:08:24.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-27T22:15:56.303", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:55:30.546213+00:00", "value": {"mitigation_remediation": ["Upgrade ConvertX to version 0.17.0 or newer.", "If an upgrade is not immediately possible, run the application under an unprivileged user account with restricted filesystem permissions.", "Validate the filename parameter to block path\u2011traversal sequences or enforce a whitelist of allowed filenames for deletion."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all deployments of ConvertX from the earliest release up to but excluding version 0.17.0. The affected vendor is C4illin, product ConvertX.", "description_and_impact": "ConvertX is a self\u2011hosted file converter that, before version 0.17.0, constructs file paths for deletion from a user\u2011supplied filename without sufficient validation. By sending a POST to /delete with a path traversal sequence such as ../, an attacker can cause the server to delete arbitrary files outside the uploads directory. The scope of damage depends on the privileges of the server process, potentially allowing deletion of critical system files, logs, or configuration files, leading to data loss, denial of service, or privilege escalation.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity flaw, and the EPSS score of less than 1\u202f% suggests a very low probability of exploitation in the wild. The vulnerability is not in the CISA KEV catalog. Exploitation requires remote access to the HTTP endpoint and crafting a malicious POST request; the damage is limited only by the permissions granted to the server process."}}}}, "created": "2026-01-28T12:22:04.039846+00:00", "updated": "2026-04-18T02:00:10.469704+00:00", "vendors": ["c4illin", "c4illin$PRODUCT$convertx"]}