CVE-2026-35411

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication 2FA visits a...

CVE-2026-35410

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass...

CVE-2026-35412

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint /files/tus allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only...

CVE-2026-35413 Directus GraphQL Schema SDL Disclosure Setting

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint...

CVE-2026-35412

Directus prior to 11.16.1 is vulnerable to an authorization bypass in the TUS resumable upload endpoint (/files/tus). The TUS controller only performs collection-level authorization on directus_files and does not validate item-level access for the target file, allowing any authenticated user with...

CVE-2026-35412

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint /files/tus allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only...

CVE-2026-35411

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication 2FA visits a...

EUVD-2026-19518

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass...

Directus 输入验证错误漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Prior to Directus 11.16.1, there was a vulnerability related to input validation errors. This vulnerability stemmed from the lack of validation for the redirect que...

Directus 输入验证错误漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Prior to Directus 11.16.1, there was a vulnerability related to input validation errors. This vulnerability stemmed from the isLoginRedirectAllowed function failing...

Directus 信息泄露漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.16.1 contained a vulnerability related to information leakage. This vulnerability stemmed from the serverspecs GraphQL parser not...

@altipla/directus-sdk-utils (=0.7.2), @depup/directus (=11.16.1-depup.0) +6 more potentially affected by CVE-2026-35442 via directus (>=10.10.0 <=11.16.1)

directus NPM version =10.10.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2026-35442 Source advisory: OSV:GHSA-38HG-WW64-RRWC...

Open Redirect

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Open Redirect via the isLoginRedirectAllowed function during the authentication flow. An attacker can redirect users to arbitrary external...

Open Redirect

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Open Redirect via the redirect parameter on the /admin/tfa-setup page. An attacker can redirect users to an external, attacker-controlled URL...

@altipla/directus-sdk-utils (=0.7.2), @depup/directus (=11.16.1-depup.0) +6 more potentially affected by CVE-2026-35408 via directus (>=10.10.0 <=11.16.1)

directus NPM version =10.10.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2026-35408 Source advisory: OSV:GHSA-8M32-P958-JG99...