CVE-2026-39942 Directus has a Path Traversal and Broken Access Control in File Management API

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...

CVE-2026-39942

CVE-2026-39942 (Directus) is a path traversal/broken access control issue in the Directus file management API. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. An attacker can set filename_disk to the storage path of another user’s file, allowing...

EUVD-2022-6500

Malicious code in bioql PyPI...

GHSA-77QM-WVQQ-FG79 Directus vulnerable to unhandled exception on illegal filename_disk value

The Directus process can be aborted by having an authorized user update the filenamedisk value to a folder and accessing that file through the /assets endpoint. The vulnerability is patched and released in v9.15.0. You can prevent this problem by making sure no untrusted non-admin users have...

Double free

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filenamedisk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15....