Main Vulnerability Database Vulnerabilities #VU127118

External Control of File Name or Path in Directus - CVE-2025-55746

Published: April 23, 2026

Vulnerability identifier: #VU127118

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-55746

CWE-ID: CWE-73

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Directus

Affected software:
Directus

Detailed vulnerability description

The vulnerability allows a remote attacker to upload arbitrary files and modify existing files.

The vulnerability exists due to external control of file name or path in the /files endpoint and file update mechanism when handling file upload and update requests with a user-controlled filename_disk value. A remote attacker can send a specially crafted request to upload arbitrary files and modify existing files.

Exploitation requires knowledge of at least one existing file UUID to modify an existing file, and uploaded files may not appear in the Directus UI.

How to mitigate CVE-2025-55746

Install security update from vendor's website.

Sources

https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc

External Control of File Name or Path in Directus - CVE-2025-55746

Detailed vulnerability description

How to mitigate CVE-2025-55746

Sources

Please verify you're human