CVE-2026-35412 Directus has a TUS Upload Authorization Bypass Allows Arbitrary File Overwrite

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint /files/tus allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only...

CVE-2026-35412

Directus prior to 11.16.1 is vulnerable to an authorization bypass in the TUS resumable upload endpoint (/files/tus). The TUS controller only performs collection-level authorization on directus_files and does not validate item-level access for the target file, allowing any authenticated user with...

CVE-2026-32759 File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions on the 2.x branch prior to 2.33.8, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating th...

CVE-2026-32759 File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is...