HIGHCVE-2026-24741CVSS 8.1

CVE-2026-24741: Path Traversal in ConvertX

Q: What is CVE-2026-24741 — Path Traversal in ConvertX?

CVE-2026-24741 is a Path Traversal vulnerability in ConvertX versions prior to 0.17.0, allowing attackers to delete arbitrary files on the server.

Q: Am I affected by CVE-2026-24741 in ConvertX?

You are affected if you are using ConvertX version 0.17.0 or earlier. Upgrade to 0.17.0 to mitigate the risk.

Q: How do I fix CVE-2026-24741 in ConvertX?

Upgrade ConvertX to version 0.17.0 or later. As a temporary workaround, restrict server permissions and implement filename validation.

Q: Is CVE-2026-24741 being actively exploited?

There is currently no evidence of active exploitation of CVE-2026-24741.

Q: Where can I find the official ConvertX advisory for CVE-2026-24741?

Refer to the ConvertX project's official website or repository for the latest security advisories and release notes.

Platform

other

Component

convertx

Fixed in

0.17.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-24741 describes a Path Traversal vulnerability discovered in ConvertX, a self-hosted online file converter. This flaw allows attackers to delete arbitrary files on the server by manipulating the filename parameter in the /delete endpoint. The vulnerability impacts versions of ConvertX prior to 0.17.0, and a patch has been released to address the issue.

Impact and Attack Scenarios

The primary impact of this vulnerability is the potential for unauthorized file deletion. An attacker can leverage path traversal sequences (e.g., ../) within the filename parameter to bypass intended restrictions and delete files outside the designated uploads directory. The extent of damage depends on the permissions granted to the server process running ConvertX. Successful exploitation could lead to data loss, system instability, or even complete compromise of the server if critical system files are targeted. This vulnerability shares similarities with other path traversal exploits where attackers leverage predictable file system structures to gain unauthorized access.

Exploitation Context

CVE-2026-24741 was publicly disclosed on 2026-01-27. There is no indication of active exploitation campaigns or KEV listing at the time of writing. No public proof-of-concept exploits have been released. The EPSS score is pending evaluation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.13% (32% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentconvertx

VendorC4illin

Affected rangeFixed in

< 0.17.0 – < 0.17.00.17.1

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2026-01-26
Published2026-01-27
Modified2026-01-28
EPSS updated2026-03-23

Mitigation and Workarounds

The recommended mitigation is to immediately upgrade ConvertX to version 0.17.0 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict the permissions of the server process running ConvertX to minimize the impact of potential file deletions. Implement strict filename validation on the /delete endpoint to prevent path traversal sequences. Consider using a Web Application Firewall (WAF) to filter malicious requests containing path traversal attempts. After upgrading, confirm the fix by attempting a deletion request with a path traversal sequence (e.g., /delete?filename=../../../../etc/passwd) and verifying that the request is rejected.

How to fix

Actualice ConvertX a la versión 0.17.0 o posterior. Esta versión corrige la vulnerabilidad de path traversal en el endpoint `/delete`. La actualización evitará que atacantes eliminen archivos arbitrarios en el sistema.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-24741 — Path Traversal in ConvertX?