High severity8.5NVD Advisory· Published Apr 9, 2026· Updated Apr 14, 2026

CVE-2026-39942

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
directusnpm	< 11.17.0	11.17.0

Affected products

Monospace/Directus
cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*
Range: <11.17.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-393c-p46r-7c95ghsaADVISORY
github.com/directus/directus/security/advisories/GHSA-393c-p46r-7c95nvdMitigationVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-39942ghsaADVISORY
github.com/directus/directus/releases/tag/v11.17.0nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.552
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000