ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +149 more potentially affected by CVE-2025-14082 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.4.7)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.0.1, =1.1.7 and more Source cves: CVE-2025-14082 Source advisory: OSV:GHSA-6Q37-7866-H27J...

@bgord/bun (>=1.0.2 <=1.2.4), @devix-tecnologia/utils-ts (=1.0.0) +38 more potentially affected by CVE-2025-14874 via nodemailer (=7.0.10)

nodemailer NPM version =7.0.10 is affected by a known vulnerability. The following packages have a transitive dependency on nodemailer and may be impacted: - @bgord/bun =1.0.2, =32.0.0, =4.0.1, =4.9.5, =8.0.1, =8.0.2, =11.3.0, =5.8.38, =1.9.0, =2.1.6, =1.8.0, =0.3.2, =2.17.15 and more Source cves...

CVE-2025-64747

Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting XSS vulnerability exists in versions prior to 11.13.0 that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface...

CVE-2025-64749

Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The /items/collection API returns different error messages for two cases: when a user...

CVE-2025-64748

Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected...

@directus/api (>=15.0.0 <=31.0.0), @linotype/directus-extension-linotype (>=1.2.2 <=1.3.5) +2 more potentially affected by CVE-2025-64747 via directus (>=10.10.0 <=11.12.0)

directus NPM version =10.10.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2025-64747 Source advisory: OSV:GHSA-VV2V-PW69-8CRF...

EUVD-2025-177203

Directus is Vulnerable to Stored Cross-site Scripting...

Directus is Vulnerable to Stored Cross-site Scripting

Summary A stored cross-site scripting XSS vulnerability exists that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy CSP restrictions by combining file uploads with iframe srcdo...

GHSA-VV2V-PW69-8CRF Directus is Vulnerable to Stored Cross-site Scripting

Summary A stored cross-site scripting XSS vulnerability exists that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy CSP restrictions by combining file uploads with iframe srcdo...

EUVD-2025-175379

Directus has Improper Permission Handling on Deleted Fields...

@directus/api (>=15.0.0 <=31.0.0), @linotype/directus-extension-linotype (>=1.2.2 <=1.3.5) +2 more potentially affected by CVE-2025-64746 via directus (>=10.10.0 <=11.12.0)

directus NPM version =10.10.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2025-64746 Source advisory: OSV:GHSA-9X5G-62GJ-WQF2...

GHSA-9X5G-62GJ-WQF2 Directus has Improper Permission Handling on Deleted Fields

Summary Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later, the system automatically re-applies the old permissions, which can lead to unauthorized access. Details When a field is removed from a collection, its...

PT-2025-46944

🔴 Directus, Authentication Bypass, CVE-2024-57702 Critical https://t.co/9yo2kbBDPq...

PT-2025-46943

🟠 Directus, Information Disclosure Vulnerability, CVE-2024-28819 Medium https://t.co/UpL6xmyais...

@directus/api (>=15.0.0 <=31.0.0), @linotype/directus-extension-linotype (>=1.2.2 <=1.3.5) +2 more potentially affected by CVE-2025-64749 via directus (>=10.10.0 <=11.12.0)

directus NPM version =10.10.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2025-64749 Source advisory: OSV:GHSA-CPH6-524F-3HGR...

EUVD-2025-177199

Directus Vulnerable to Information Leakage in Existing Collections...

@bicou/directus-extension-imagga (>=1.6.3 <=1.6.6), @deconz-community/directus-extension-ddf-store (=0.1.0) +7 more potentially affected by CVE-2025-64749 via @directus/api (>=10.0.0 <=31.0.0)

@directus/api NPM version =10.0.0, =1.6.3, =1.2.2, =10.0.0, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2025-64749 Source advisory: OSV:GHSA-CPH6-524F-3HGR...

GHSA-CPH6-524F-3HGR Directus Vulnerable to Information Leakage in Existing Collections

Summary: An observable difference in error messaging was found in the Directus REST API. The /items/collection API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existi...

Insertion of Sensitive Information Into Sent Data

Overview @directus/api is a real-time API and App dashboard for managing SQL database content Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to concealed fields being searchable if read permissions enabled. An attacker can infer the...

@bicou/directus-extension-imagga (>=1.6.3 <=1.6.6), @deconz-community/directus-extension-ddf-store (=0.1.0) +7 more potentially affected by CVE-2025-64748 via @directus/api (>=10.0.0 <=31.0.0)

@directus/api NPM version =10.0.0, =1.6.3, =1.2.2, =10.0.0, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2025-64748 Source advisory: OSV:GHSA-8JPW-GPR4-8CMH...