1. Home
  2. CVE Database
  3. CVE-2025-55746
CRITICAL · 9.3

CVE-2025-55746

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor...

Vulnerability Description

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3.

CVSS Score

9.3

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
LOW

Affected Products

VendorProductVersions
MonospaceDirectus>= 10.8.0, < 11.9.3

Related Weaknesses (CWE)

CWE-434CWE-73

References

FAQ

What is CVE-2025-55746?

CVE-2025-55746 is a vulnerability with a CVSS score of 9.3 (CRITICAL). Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor...

How severe is CVE-2025-55746?

CVE-2025-55746 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-55746?

Check the references section above for vendor advisories and patch information. Affected products include: Monospace Directus.