What is the CVSS score of CVE-2026-24741?

CVE-2026-24741 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Convertx are affected by CVE-2026-24741?

ConvertX versions prior to 0.17.0 contain a critical file deletion vulnerability that allows attackers to delete arbitrary files on affected servers, potentially compromising system integrity and…. A patch is available.

Is there a public PoC exploit available for CVE-2026-24741?

Yes, a public proof-of-concept exploit is available for CVE-2026-24741. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-24741?

Within 24 hours: Identify all ConvertX instances and their versions in your environment; assess network exposure and restrict access to the POST /delete endpoint. Within 7 days: Apply vendor patch to upgrade to version 0.17.0 or later across all instances. Within 30 days: Conduct file integrity audits on affected systems and review access logs for evidence of exploitation.

Convertx CVE-2026-24741

HIGH

Path Traversal (CWE-22)

2026-01-27 security-advisories@github.com

Path Traversal Convertx

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 12, 2026 - 21:08 vuln.today

Public exploit code

Patch released

Feb 12, 2026 - 21:08 nvd

Patch available

CVE Published

Jan 27, 2026 - 22:15 nvd

HIGH 8.1

DescriptionGitHub Advisory

ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the POST /delete endpoint uses a user-controlled filename value to construct a filesystem path and deletes it via unlink without sufficient validation. By supplying path traversal sequences (e.g., ../), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue.

AnalysisAI

Arbitrary file deletion in ConvertX prior to version 0.17.0 allows authenticated attackers to remove files outside the intended upload directory by exploiting insufficient path validation in the POST /delete endpoint. The vulnerability enables attackers to supply path traversal sequences that bypass directory restrictions, with impact limited only by server process permissions. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to ConvertX application

Exploit

Send POST request to /delete endpoint

Execution

Supply path traversal sequences in filename parameter

Impact

Delete arbitrary files via unlink function