Main Vulnerability Database SB20260423135

SB20260423135 - External Control of File Name or Path in Directus

Published: April 23, 2026

Security Bulletin ID SB20260423135

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) External Control of File Name or Path (CVE-ID: CVE-2025-55746)

CWE-ID: CWE-73 - External Control of File Name or Path

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to upload arbitrary files and modify existing files.

The vulnerability exists due to external control of file name or path in the /files endpoint and file update mechanism when handling file upload and update requests with a user-controlled filename_disk value. A remote attacker can send a specially crafted request to upload arbitrary files and modify existing files.

Exploitation requires knowledge of at least one existing file UUID to modify an existing file, and uploaded files may not appear in the Directus UI.

Remediation

Install update from vendor's website.

References

https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc