CVE-2026-24741 is a path traversal vulnerability classified under CWE-22 affecting the self-hosted online file converter ConvertX by C4illin. In versions before 0.17.0, the POST /delete endpoint accepts a user-controlled 'filename' parameter, which is concatenated directly into a filesystem path used by the unlink system call to delete files. The lack of proper validation or sanitization of this parameter allows attackers to include path traversal sequences such as '../' to escape the intended uploads directory and delete arbitrary files on the server. The scope of deletion is limited only by the permissions of the server process running ConvertX, potentially allowing removal of critical system or application files, leading to denial of service or data loss. Exploitation requires the attacker to have authenticated access to the application but does not require any user interaction beyond sending the crafted request. The vulnerability was publicly disclosed on January 27, 2026, with a CVSS v3.1 score of 8.1, indicating a high severity due to network attack vector, low attack complexity, required privileges, and no user interaction. The issue is resolved in ConvertX version 0.17.0 by implementing proper validation and restriction of file paths to prevent traversal outside the designated directory.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of systems running vulnerable versions of ConvertX. Successful exploitation can lead to deletion of arbitrary files, including configuration files, logs, or critical application data, potentially causing service outages or data loss. Organizations relying on ConvertX for file conversion services may experience operational disruptions, impacting business continuity. If ConvertX is deployed in environments processing sensitive or regulated data, unauthorized file deletions could also lead to compliance violations under GDPR or other data protection regulations. The requirement for authentication limits exposure to internal or compromised users but does not eliminate risk, especially in environments with weak access controls or insider threats. The lack of known exploits in the wild suggests limited current exploitation, but the high severity and ease of exploitation warrant prompt remediation.

European organizations should immediately upgrade all ConvertX instances to version 0.17.0 or later, where the vulnerability is patched. Until upgrades are completed, implement strict access controls to limit who can authenticate and access the /delete endpoint, including network segmentation and multi-factor authentication. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal patterns in requests targeting the delete endpoint. Conduct thorough audits of file permissions and server process privileges to minimize the impact of potential file deletions. Regularly back up critical files and configurations to enable rapid recovery in case of exploitation. Additionally, monitor application logs for suspicious deletion requests containing traversal sequences and investigate any anomalies promptly. Educate administrators and users about the risks of path traversal vulnerabilities and the importance of applying security patches.