CVE-2026-24741

ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the POST /delete endpoint uses a user-controlled filename value to construct a filesystem path and deletes it via unlink without sufficient validation. By supplying path traversal sequences (e.g., ../), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue.