Description
ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue.
Published: 2026-01-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Immediate Patch
AI Analysis

Impact

ConvertX is a self‑hosted file converter that, before version 0.17.0, constructs file paths for deletion from a user‑supplied filename without sufficient validation. By sending a POST to /delete with a path traversal sequence such as ../, an attacker can cause the server to delete arbitrary files outside the uploads directory. The scope of damage depends on the privileges of the server process, potentially allowing deletion of critical system files, logs, or configuration files, leading to data loss, denial of service, or privilege escalation.

Affected Systems

The vulnerability affects all deployments of ConvertX from the earliest release up to but excluding version 0.17.0. The affected vendor is C4illin, product ConvertX.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity flaw, and the EPSS score of less than 1 % suggests a very low probability of exploitation in the wild. The vulnerability is not in the CISA KEV catalog. Exploitation requires remote access to the HTTP endpoint and crafting a malicious POST request; the damage is limited only by the permissions granted to the server process.

Generated by OpenCVE AI on April 18, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ConvertX to version 0.17.0 or newer.
  • If an upgrade is not immediately possible, run the application under an unprivileged user account with restricted filesystem permissions.
  • Validate the filename parameter to block path‑traversal sequences or enforce a whitelist of allowed filenames for deletion.

Generated by OpenCVE AI on April 18, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:c4illin:convertx:*:*:*:*:*:*:*:*

Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared C4illin
C4illin convertx
Vendors & Products C4illin
C4illin convertx

Tue, 27 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue.
Title ConvertX Vulnerable to Arbitrary File Deletion via Path Traversal in `POST /delete`
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

C4illin Convertx
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T15:14:23.019Z

Reserved: 2026-01-26T19:06:16.059Z

Link: CVE-2026-24741

cve-icon Vulnrichment

Updated: 2026-01-28T15:14:03.848Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T22:15:56.303

Modified: 2026-02-12T21:08:24.083

Link: CVE-2026-24741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses