CVE-2026-24741 is a path traversal vulnerability classified under CWE-22 affecting C4illin ConvertX, a self-hosted online file converter. In versions prior to 0.17.0, the application’s POST /delete endpoint accepts a filename parameter from the user and constructs a filesystem path to delete the specified file using the unlink system call. However, the application fails to properly sanitize or validate the filename input, allowing attackers to include path traversal sequences such as '../' to navigate outside the intended uploads directory. This lack of restriction enables deletion of arbitrary files on the server filesystem, limited only by the permissions of the server process running ConvertX. The vulnerability has a CVSS 3.1 base score of 8.1, reflecting its high severity due to network attack vector, low attack complexity, required privileges (PR:L - low privileges), no user interaction, and high impact on integrity and availability. Exploiting this flaw could allow an attacker to delete critical system or application files, potentially causing denial of service or disrupting business operations. The vulnerability was publicly disclosed on January 27, 2026, and fixed in version 0.17.0 of ConvertX. No known exploits have been reported in the wild yet, but the simplicity of the attack vector and the severity of impact make it a significant threat to organizations running vulnerable versions.

For European organizations, this vulnerability poses a serious risk to the integrity and availability of systems running ConvertX versions prior to 0.17.0. Successful exploitation could lead to deletion of critical files, including configuration files, logs, or other application data, potentially causing service outages or data loss. This could disrupt business processes, especially for organizations relying on ConvertX for document conversion workflows. The impact is heightened in environments where the ConvertX server runs with elevated privileges or has access to sensitive directories. Additionally, deletion of security or audit logs could hinder incident response and forensic investigations. Given the network-exploitable nature of the vulnerability and the lack of required user interaction, attackers could remotely trigger file deletions, increasing the risk of widespread disruption. Organizations in sectors with strict data integrity and availability requirements, such as finance, healthcare, and government, are particularly vulnerable to operational and compliance impacts.

European organizations should immediately upgrade all instances of ConvertX to version 0.17.0 or later, where the vulnerability is patched. Until upgrades can be applied, organizations should implement strict network segmentation and firewall rules to limit access to the ConvertX service to trusted internal users only. Employ application-layer filtering or web application firewalls (WAFs) to detect and block requests containing path traversal sequences in the filename parameter. Review and harden file system permissions for the ConvertX server process to minimize the scope of files that can be deleted, ensuring it runs with the least privileges necessary. Implement monitoring and alerting on file deletion events and unusual activity on the server hosting ConvertX. Conduct regular backups of critical files and configurations to enable rapid recovery in case of malicious deletion. Finally, perform security assessments and code reviews on custom or third-party web applications to detect similar path traversal vulnerabilities proactively.