CVE-2025-53887

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without...

CVE-2025-53886 Directus doesn't redact tokens in Flow logs

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in...

CVE-2024-28239

Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a redirect parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There's a redirect that is done after successful login via the Auth...

CVE-2020-19850

An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests...

CVE-2019-13983

Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php...

@deconz-community/directus-extension-ddf-store (=0.1.0), datacore-mv (=10.3.0) +2 more potentially affected by CVE-2024-47822 via @directus/api (>=10.0.0 <=21.0.0-rc.0)

@directus/api NPM version =10.0.0, =10.0.0, =1.0.0, =2.0.0 Source cves: CVE-2024-47822 Source advisory: OSV:GHSA-VW58-PH65-6RXP...

CVE-2025-30353

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the A...

CVE-2025-30353

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the A...

CVE-2025-30353

Directus vulnerability (CVE-2025-30353): In Directus, flows using the Webhook trigger with the Data of Last Operation response can disclose sensitive data when a ValidationError occurs. Affected versions are 9.12.0 up to, but not including, 11.5.0. The exposure includes environment variables, API...

CVE-2025-30351 Suspended Directus user can continue to use session token to access API

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a check missing in...

CVE-2025-27089

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is...

CVE-2024-54151

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions...

CVE-2024-47822 Directus inserts access token from query string into logs

Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in req.query is not redacted when the LOGSTYLE is set to raw. If these logs are no...

@deconz-community/directus-extension-ddf-store (=0.1.0), datacore-mv (=10.3.0) +2 more potentially affected by CVE-2024-46990 via @directus/api (>=10.0.0 <=21.0.0-rc.0)

@directus/api NPM version =10.0.0, =10.0.0, =1.0.0, =2.0.0 Source cves: CVE-2024-46990 Source advisory: OSV:GHSA-68G8-C275-XF2M...

@deconz-community/directus-extension-ddf-store (=0.1.0), @directus/api (=21.0.1) +3 more potentially affected by CVE-2024-45596 via @directus/api (>=10.0.0 <=21.0.0)

@directus/api NPM version =10.0.0, =10.0.0, =1.0.0, =2.0.0 Source cves: CVE-2024-45596 Source advisory: OSV:GHSA-CFF8-X7JV-4FM8...

@directus/api (>=16.0.0 <=19.2.0), directus (>=10.9.0 <=10.11.2) +3 more potentially affected by CVE-2024-39895 via @directus/env (>=1.0.0 <=1.1.5)

@directus/env NPM version =1.0.0, =16.0.0, =10.9.0, =1.2.0, =10.10.4, =18.2.1-q1, =19.0.3-quantum.2 Source cves: CVE-2024-39895 Source advisory: OSV:GHSA-7HMH-PFRP-VCX4...

@deconz-community/directus-extension-ddf-store (=0.1.0), datacore-mv (=10.3.0) +2 more potentially affected by CVE-2024-39699 via @directus/api (>=10.0.0 <=17.0.1)

@directus/api NPM version =10.0.0, =10.0.0, =1.0.0, =1.1.2 Source cves: CVE-2024-39699 Source advisory: OSV:GHSA-8P72-RCQ4-H6PW...

@directus/api (>=18.0.0 <=19.0.2) potentially affected by CVE-2024-34708 via directus (>=10.10.0 <=10.10.7)

directus NPM version =10.10.0, =18.0.0, =19.0.2 Source cves: CVE-2024-34708 Source advisory: OSV:GHSA-P8V3-M643-4XQX...

@angular-devkit/build-angular (>=17.1.0-next.1 <=18.0.0-next.1), @directus/api (>=15.0.0 <=19.0.2) +25 more potentially affected by CVE-2024-30260 via undici (>=6.0.1 <=6.10.2)

undici NPM version =6.0.1, =17.1.0-next.1, =15.0.0, =10.0.15, =1.0.7, =18.0.0-next.3, =18.0.0-next.3, =1.0.0-alpha.22, =1.0.0-alpha.22, =1.0.0-alpha.22, =1.0.5, =1.0.6 and more Source cves: CVE-2024-30260 Source advisory: OSV:GHSA-M4V8-WQVR-P9F7...

Directus API vulnerable to denial of service

An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests...