Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

22 matches found

RedhatCVE
RedhatCVEadded 2026/06/05 7:12 p.m.6 views

CVE-2026-39942

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...

8.8CVSS5.6AI score0.00204EPSS
Exploits0References1
NVD
NVDadded 2026/04/09 5:16 p.m.2 views

CVE-2026-39942

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...

8.8CVSS0.00204EPSS
Exploits0References2
EUVD
EUVDadded 2026/04/09 4:12 p.m.3 views

EUVD-2026-20952

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records in directusrevisions whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline,...

6.5CVSS6AI score0.0017EPSS
Exploits0References2
EUVD
EUVDadded 2026/04/09 4:7 p.m.20 views

EUVD-2026-20950

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...

8.5CVSS5.9AI score0.00204EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/04/09 4:7 p.m.3 views

CVE-2026-39942

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...

8.5CVSS5.9AI score0.00204EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologiesadded 2026/04/09 12:0 a.m.4 views

PT-2026-31649

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records in directus revisions whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline,...

6.5CVSS6AI score0.0017EPSS
Exploits0References3
Positive Technologies
Positive Technologiesadded 2026/04/09 12:0 a.m.3 views

PT-2026-31648

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filename disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...

8.5CVSS5.9AI score0.00204EPSS
Exploits0References3
RedhatCVE
RedhatCVEadded 2026/04/07 11:1 p.m.5 views

CVE-2026-35442

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated...

8.1CVSS5.9AI score0.00337EPSS
Exploits0References1
NVD
NVDadded 2026/04/06 10:16 p.m.6 views

CVE-2026-35442

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated...

8.1CVSS0.00337EPSS
Exploits0References1
ATTACKERKB
ATTACKERKBadded 2026/04/06 9:36 p.m.4 views

CVE-2026-35442

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated...

8.1CVSS5.9AI score0.00337EPSS
Exploits0References2Affected Software1
Cvelist
Cvelistadded 2026/04/06 9:36 p.m.17 views

CVE-2026-35441 Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive...

6.5CVSS0.00361EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 2026/04/06 9:36 p.m.2 views

CVE-2026-35441 Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive...

6.5CVSS6AI score0.00361EPSS
Exploits0References1
ATTACKERKB
ATTACKERKBadded 2026/04/06 9:36 p.m.1 views

CVE-2026-35441

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive...

6.5CVSS6AI score0.00361EPSS
Exploits0References2Affected Software1
CVE
CVEadded 2026/04/06 9:36 p.m.16 views

CVE-2026-35441

Directus CVE-2026-35441 affects Directus up to version 11.16.x, with the GraphQL endpoints /graphql and /graphql/system failing to deduplicate resolver invocations within a single request. The vulnerability allows an authenticated user to abuse GraphQL aliasing to trigger many expensive relationa...

6.5CVSS6AI score0.00361EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichmentadded 2026/04/06 9:30 p.m.3 views

CVE-2026-35408 Directus is Missing Cross-Origin Opener Policy

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On SSO login pages lacked a Cross-Origin-Opener-Policy COOP HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retai...

8.7CVSS5.9AI score0.00169EPSS
Exploits0References1
CVE
CVEadded 2026/04/06 9:30 p.m.11 views

CVE-2026-35408

Summary of CVE-2026-35408 (Directus): Prior to 11.17.0, Directus SSO login pages did not send COOP headers, enabling a malicious cross-origin window to access/manipulate the login page and potentially intercept/redirect the OAuth flow to an attacker-controlled client. This could lead to unauthori...

9.3CVSS5.9AI score0.00169EPSS
Exploits0References1Affected Software1
CNNVD
CNNVDadded 2026/04/06 12:0 a.m.5 views

Directus 安全漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.17.0 contained a security vulnerability. This vulnerability stemmed from the use of aggregate functions on conceal-type fields, whi...

8.1CVSS5.8AI score0.00337EPSS
Exploits0References2
Snyk
Snykadded 2026/04/04 6:13 a.m.4 views

Incorrect Authorization

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Incorrect Authorization in the aggregate query process when applying min or max functions to fields marked as concealed. An attacker can...

8.6CVSS5.9AI score0.00337EPSS
Exploits0References2
Snyk
Snykadded 2026/04/04 6:13 a.m.1 views

Allocation of Resources Without Limits or Throttling

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the health check resolver process. An attacker can exhaust system resources, leading...

8.7CVSS6AI score
Exploits0References2
Snyk
Snykadded 2026/04/04 6:12 a.m.1 views

Allocation of Resources Without Limits or Throttling

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the GraphQL resolver process. An attacker can exhaust server resources and cause...

7.1CVSS6.1AI score0.00361EPSS
Exploits0References2
Rows per page
Query Builder