8 matches found
CVE-2026-39942
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...
CVE-2026-39942
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...
EUVD-2026-20950
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...
PT-2026-31648
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filename disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the filenamedisk parameter in the file management API. An...
Directus: Path Traversal and Broken Access Control in File Management API
Summary A broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the filenamedisk parameter. Details The PATCH /files/id endpoint accepts a user-controlled filenamedisk...
CVE-2022-36031 Unhandled exception on illegal filename_disk value
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filenamedisk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15....
PT-2022-23129 · Directus · Directus
Name of the Vulnerable Software and Affected Versions: Directus versions prior to 9.15.0 Description: The Directus process can be aborted by having an authorized user update the filename disk value to a folder and accessing that file through the "/assets" endpoint. This issue has been patched and...