CVE-2026-24741 Overview
CVE-2026-24741 is a Path Traversal vulnerability affecting ConvertX, a self-hosted online file converter application. In versions prior to 0.17.0, the POST /delete endpoint uses a user-controlled filename value to construct a filesystem path and deletes it via unlink without sufficient validation. By supplying path traversal sequences (e.g., ../), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process.
Critical Impact
Authenticated attackers can delete arbitrary files on the server by exploiting insufficient path validation in the file deletion endpoint, potentially causing denial of service or compromising system integrity.
Affected Products
- ConvertX versions prior to 0.17.0
Discovery Timeline
- 2026-01-27 - CVE-2026-24741 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24741
Vulnerability Analysis
This vulnerability falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal. The flaw exists in the /delete endpoint of ConvertX where user-supplied filename parameters are used directly in file system operations without proper sanitization.
When a user submits a delete request, the application constructs a file path using the provided filename parameter. The lack of validation allows attackers to inject path traversal sequences like ../ to escape the intended uploads directory and target files elsewhere on the system. The unlink function then removes whatever file the attacker specified, constrained only by the permissions of the web server process.
This type of vulnerability can lead to severe consequences including deletion of critical configuration files, application binaries, or system files, resulting in denial of service or potentially enabling further attacks by removing security controls.
Root Cause
The root cause is the absence of input sanitization on the filename parameter before it is used to construct a filesystem path for deletion. The application trusted user input without validating that the resulting path remained within the intended uploads directory boundary.
Attack Vector
The attack is network-accessible and requires low privileges (authenticated access). An attacker sends a crafted POST request to the /delete endpoint with a malicious filename parameter containing path traversal sequences. For example, a filename value of ../../../../etc/important-config would traverse up the directory tree and target files outside the uploads folder. The server then executes the unlink operation on the traversed path, deleting the targeted file.
// Security patch in src/pages/deleteFile.tsx - Merge commit from fork
import db from "../db/db";
import { WEBROOT } from "../helpers/env";
import { userService } from "./user";
+import sanitize from "sanitize-filename";
+import path from "node:path";
export const deleteFile = new Elysia().use(userService).post(
"/delete",
Source: GitHub Commit
The patch introduces the sanitize-filename library and path module from Node.js to properly validate and sanitize the filename input before constructing the filesystem path.
Detection Methods for CVE-2026-24741
Indicators of Compromise
- Unusual POST requests to the /delete endpoint containing path traversal sequences (../, ..%2f, ..%5c)
- Unexpected file deletions or missing files in system directories
- Web server error logs showing failed attempts to delete files outside the uploads directory
- Audit logs indicating file deletion operations on sensitive system paths
Detection Strategies
- Monitor HTTP request logs for path traversal patterns in the filename parameter of /delete requests
- Implement Web Application Firewall (WAF) rules to detect and block path traversal sequences
- Enable file integrity monitoring (FIM) on critical system files and directories
- Review application logs for unusual deletion patterns or access denied errors
Monitoring Recommendations
- Configure alerting for any POST /delete requests containing ../ or URL-encoded variants
- Monitor server process file access patterns for deletions outside expected directories
- Implement real-time log analysis to detect path traversal attack attempts
- Set up baseline monitoring for file system changes on the ConvertX server
How to Mitigate CVE-2026-24741
Immediate Actions Required
- Upgrade ConvertX to version 0.17.0 or later immediately
- If upgrade is not immediately possible, restrict access to the /delete endpoint at the network level
- Review file system permissions to minimize the impact of potential exploitation
- Audit recent access logs for evidence of exploitation attempts
Patch Information
The vulnerability is fixed in ConvertX version 0.17.0. The patch introduces proper filename sanitization using the sanitize-filename library and Node.js path module to ensure user-supplied filenames cannot traverse outside the intended uploads directory. Review the GitHub Security Advisory and patch commit for complete technical details.
Workarounds
- Implement a reverse proxy or WAF rule to filter requests containing path traversal sequences to the /delete endpoint
- Temporarily disable the file deletion functionality if not critical to operations
- Run the ConvertX service under a restricted user account with minimal filesystem permissions
- Use containerization (e.g., Docker) to isolate the application and limit the scope of potential file deletions
# Example WAF rule to block path traversal in delete requests
# For nginx with ModSecurity
SecRule REQUEST_URI "@contains /delete" "chain,id:1001,deny,status:403"
SecRule ARGS:filename "@rx \.\.[\\/]" "t:urlDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
