CVE-2025-55746

CRITICAL

Directus 10.8.0-11.9.2 - Unauthenticated Arbitrary File Upload via File Update Mechanism

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-55746. PoCs published by r4bbit-r4.

AI-analyzed exploit summary This repository contains presentation slides (reveal.js) for a talk about a Directus vulnerability (CVE-2025-55746). No exploit code or technical details are provided.

Description

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.

Exploits (1)

nomisec WRITEUP 1 stars
by r4bbit-r4 · poc
https://github.com/r4bbit-r4/directus-preso

This repository contains presentation slides (reveal.js) for a talk about a Directus vulnerability (CVE-2025-55746). No exploit code or technical details are provided.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Directus (version unspecified)
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.3
EPSS 0.0019
EPSS Percentile 40.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-434 CWE-73
Status published
Products (3)
directus/api 14.1.0 - 28.0.2npm
monospace/directus 10.8.0 - 11.9.3
npm/directus 10.8.0 - 11.9.3npm
Published Aug 20, 2025
Tracked Since Feb 18, 2026