Date 2026-06-20. Target: Directus (directus/directus). Verdict: VULNERABLE-CONFIRMED HIGH (live). First paid-lane heavyweight-target win under the box upgrade.
GHSA-393c-p46r-7c95 (Critical, fixed 11.17.0) added a cross-user file-overwrite guard - checkUniqueFilename + generateFilenamePath - but ONLY on FilesService (api/src/services/files.ts). The TUS resumable-upload store (api/src/services/tus/data-store.ts) creates the directus_files row via a PLAIN ItemsService.createOne, never FilesService, so neither guard runs. A user who can write filename_disk via TUS Upload-Metadata overwrites any existing file by colliding on its disk name. Live-confirmed: a LOW-PRIV non-admin user overwrote an ADMIN-owned file's content (served by the admin's own file id) while REST PATCH with the same filename_disk returns ForbiddenError even for admin. Present in 11.17.0 AND at HEAD (api 36.0.2). Preconditions: TUS_ENABLED=true (opt-in) + role with filename_disk field-create (e.g. fields:['*']) - the same precondition the vendor accepted for the parent CVE.
override async createOne with the guard), grep for OTHER instantiators of the base class for the SAME collection/table. Here: new ItemsService<File>('directus_files', ...) in the TUS store = the bypass. This is the Node/TS analogue of the per-handler-scattered authz pattern (Gitea feeds, Filebrowser cleanup) - same shape, different layer.
Hunt query: grep -rn "new ItemsService.*'<collection>'" and check each against the guard that lives on the dedicated Service subclass.Fleet agent surfaced the candidate (cluster scouting); lead INDEPENDENTLY verified every code claim (asymmetry + field-perm reachability + HEAD) before trusting it (Skeptic Gate - never stage agent output unverified), then built a self-contained live PoC (docker Directus 11.17.0 + SQLite, ~1.2GB image, container torn down after). Heavyweight live-app PoC is now feasible post-box-upgrade and was decisive for cross-user severity. Repro: ~/bounty/findings/cycle255-directus-tus-filename-disk-overwrite-incomplete-fix/repro.sh.
Strapi CVE-2026-27886 incomplete-coverage: the relational-filter admin-token oracle fix is solid by default (createdBy/updatedBy are private:true -> throwPrivate), but a content type with populateCreatorFields:true re-opens an UNAUTH filter oracle leaking admin firstname/lastname/username (NOT credentials). Config-conditional, lower-sev, NEEDS-DYNAMIC-CONFIRM. Staged as a secondary lead, not yet PoC'd.