Home / Vulnerability Intelligence / CVE-2026-39942

CVE-2026-39942 - Vulnerability Analysis

HighCVSS: 8.5

Last Updated: April 9, 2026

Directus - Data Tampering

Published: April 9, 2026Updated: April 9, 2026Remote Exploitable

Overview

Directus < 11.17.0 contains a file overwrite vulnerability caused by insufficient validation of the filename_disk parameter in PATCH /files/{id} endpoint, letting attackers overwrite other users' files and manipulate metadata, exploit requires crafted request with specific filename_disk value.

Severity & Score

Severity: High

CVSS Score: 8.5

EPSS Score: 2.5%(Probability of exploitation in next 30 days)

Impact

Attackers can overwrite other users' files and manipulate metadata, leading to data tampering and potential information loss.

Mitigation

Update to version 11.17.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 12, 2026

🟠 CVE-2026-39942 - High (8.5) Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39942/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-39942
Severity: High
CVSS Score: 8.5
Type: undefined
Status: new
EPSS: 2.5%
Social Posts: 1

CWE

CWE-284

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

EPSS Score

2.5%Probability of exploitation in the next 30 days