Plattform
other
Komponente
convertx
Behoben in
0.17.1
CVE-2026-24741 describes a Path Traversal vulnerability discovered in ConvertX, a self-hosted online file converter. This flaw allows attackers to delete arbitrary files on the server by manipulating the filename parameter in the /delete endpoint. The vulnerability impacts versions of ConvertX prior to 0.17.0, and a patch has been released to address the issue.
The primary impact of this vulnerability is the potential for unauthorized file deletion. An attacker can leverage path traversal sequences (e.g., ../) within the filename parameter to bypass intended restrictions and delete files outside the intended uploads directory. The extent of damage depends on the permissions of the server process running ConvertX; an attacker with sufficient privileges could potentially delete critical system files, leading to denial of service or even complete system compromise. This vulnerability shares similarities with other path traversal exploits where attackers gain unauthorized access to sensitive data or system resources.
CVE-2026-24741 was publicly disclosed on 2026-01-27. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Self-hosting users of ConvertX are at risk, particularly those running versions prior to 0.17.0. Shared hosting environments where ConvertX is installed may also be vulnerable if the hosting provider has not applied the necessary security updates. Users who have configured ConvertX with overly permissive file system permissions are at higher risk.
disclosure
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-24741 is to immediately upgrade ConvertX to version 0.17.0 or later, which includes the necessary validation to prevent path traversal. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing path traversal sequences in the filename parameter of the /delete endpoint. Additionally, review file system permissions to ensure the ConvertX process has the minimum necessary privileges to operate. Regularly monitor server logs for suspicious activity, specifically attempts to access or delete files outside the expected upload directory.
Actualice ConvertX a la versión 0.17.0 o posterior. Esta versión corrige la vulnerabilidad de path traversal en el endpoint `/delete`. La actualización evitará que atacantes eliminen archivos arbitrarios en el sistema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24741 is a Path Traversal vulnerability in ConvertX versions prior to 0.17.0, allowing attackers to delete arbitrary files on the server.
You are affected if you are using ConvertX version 0.17.0 or earlier. Upgrade to 0.17.0 to mitigate the risk.
Upgrade ConvertX to version 0.17.0 or later. As a temporary workaround, restrict server permissions and implement filename validation.
There is currently no evidence of active exploitation of CVE-2026-24741.
Refer to the ConvertX project's official website or repository for the latest security advisories and release notes.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.