{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T06:43:24.734","vulnerabilities":[{"cve":{"id":"CVE-2025-55746","sourceIdentifier":"security-advisories@github.com","published":"2025-08-20T18:15:35.183","lastModified":"2026-01-13T18:29:53.387","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3."},{"lang":"es","value":"Directus es una API en tiempo real y un panel de control para aplicaciones que gestiona el contenido de bases de datos SQL. Desde la versión 10.8.0 hasta la versión 11.9.3, existe una vulnerabilidad en el mecanismo de actualización de archivos que permite a un usuario no autenticado modificar archivos existentes con contenido arbitrario (sin que se apliquen cambios a los metadatos residentes en la base de datos) o cargar nuevos archivos con contenido y extensiones arbitrarios, que no se mostrarán en la interfaz de Directus. Esta vulnerabilidad se corrigió en la versión 11.9.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":4.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-73"},{"lang":"en","value":"CWE-434"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*","versionStartIncluding":"10.8.0","versionEndExcluding":"11.9.3","matchCriteriaId":"D935DA05-410C-4095-A9E9-F41F6701641B"}]}]}],"references":[{"url":"https://github.com/directus/directus/commit/d84dcc36f75fc5c858d43746b8f9c426c38d696b","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/directus/directus/security/advisories/GHSA-mv33-9f6j-pfmc","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}