In Directus 7 API prior to 2.2.1, uploading of PHP files is not blocked, leading to uploads/_/originals remote code execution.
rangerstudio directus 7 api