CVE-2026-39942
CVE-2026-39942
8.5
HighPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- Low
- Integrity
- High
- Availability
- None
Description
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0.
References
security-advisories@github.com
https://github.com/directus/directus/releases/tag/v11.17.0security-advisories@github.com
https://github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95