16 matches found
CVE-2026-35442
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated...
CVE-2026-35442 Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated...
CVE-2026-35442
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated...
CVE-2026-35442
CVE-2026-35442 affects Directus prior to 11.17.0, where aggregate functions (min/max) on fields with the concealed type can return raw database values instead of masked placeholders. When used with groupBy, any authenticated user with read access to the affected collection can extract concealed v...
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries
Summary Aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, includi...
GHSA-38HG-WW64-RRWC Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries
Summary Aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, includi...
PT-2026-30332
Name of the Vulnerable Software and Affected Versions Directus affected versions not specified Description Aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any...
Information Disclosure
Directus is vulnerable to information disclosure. The vulnerability is due to improper filtering of concealed fields in search queries, which allows an authenticated attacker to infer matches from returned records and enumerate sensitive data even though the values appear masked...
Directus's conceal fields are searchable if read permissions enabled
Summary A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Details The system permits sear...
EUVD-2025-177193
Directus's conceal fields are searchable if read permissions enabled...
Insertion of Sensitive Information Into Sent Data
Overview @directus/api is a real-time API and App dashboard for managing SQL database content Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to concealed fields being searchable if read permissions enabled. An attacker can infer the...
CVE-2025-64748
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected...
CVE-2025-64748 Directus's conceal fields are searchable if read permissions enabled
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected...
CVE-2025-64748 Directus's conceal fields are searchable if read permissions enabled
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected...
CVE-2025-64748
CVE-2025-64748 affects Directus (real-time API and app dashboard for SQL databases). Prior to 11.13.0, authenticated users with read permissions can search concealed/sensitive fields; while actual values are masked, matching records reveal existence of those values, enabling data enumeration. Aff...
CVE-2025-64748 Directus's conceal fields are searchable if read permissions enabled
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected...