Vulnerability Database

308,926

Total vulnerabilities in the database

CVE-2025-55746

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.

Published: Aug 20, 2025
Updated: Nov 17, 2025
CVE: CVE-2025-55746
GHSA: GHSA-mv33-9f6j-pfmc
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

CWEs:

Affected Software
References

Software	From	Fixed in
directus	10.8.0	11.9.3
@directus / api	14.1.0	28.0.2

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo