836 matches found
Information Disclosure
Directus is vulnerable to information disclosure. The vulnerability is due to the exact Directus version number being exposed as the OpenAPI Spec version at the /server/specs/oas endpoint without authentication, which allows an attacker to identify the running version and target known...
Information Disclosure
Directus is vulnerable to information exposure. The vulnerability is due to logging all incoming request details, including sensitive data like access and refresh tokens when using WebHook triggers in Flows, which allows an attacker with log access to hijack user sessions within the token...
CVE-2025-53889
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow...
CVE-2025-53886
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in...
CVE-2025-53885
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template...
CVE-2025-53887
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without...
Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows
Summary Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without...
@altipla/directus-sdk-utils (=0.7.2), @bicou/directus-extension-imagga (>=1.6.3 <=1.6.6) +9 more potentially affected by CVE-2025-53889 via directus (>=10.10.0 <=11.8.0)
directus NPM version =10.10.0, =1.6.3, =11.16.1-depup.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 - lease-directus-template =0.0.0 Source cves: CVE-2025-53889 Source advisory: OSV:GHSA-7CVF-PXGP-42FC...
GHSA-7CVF-PXGP-42FC Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows
Summary Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without...
Directus' exact version number is exposed by the OpenAPI Spec
Summary The exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without authentication. Impact With the exact version information a malicious attacker can look for known vulnerabilities in Directus...
@altipla/directus-sdk-utils (=0.7.2), @bicou/directus-extension-imagga (>=1.6.3 <=1.6.6) +9 more potentially affected by CVE-2025-53887 via directus (>=10.10.0 <=11.8.0)
directus NPM version =10.10.0, =1.6.3, =11.16.1-depup.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 - lease-directus-template =0.0.0 Source cves: CVE-2025-53887 Source advisory: OSV:GHSA-RMJH-CF9Q-PV7Q...
GHSA-RMJH-CF9Q-PV7Q Directus' exact version number is exposed by the OpenAPI Spec
Summary The exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without authentication. Impact With the exact version information a malicious attacker can look for known vulnerabilities in Directus...
Directus tokens are not redacted in flow logs, exposing session credentials to all admin
Summary When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Impact Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them...
@altipla/directus-sdk-utils (=0.7.2), @bicou/directus-extension-imagga (>=1.6.3 <=1.6.6) +9 more potentially affected by CVE-2025-53886 via directus (>=10.10.0 <=11.8.0)
directus NPM version =10.10.0, =1.6.3, =11.16.1-depup.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 - lease-directus-template =0.0.0 Source cves: CVE-2025-53886 Source advisory: OSV:GHSA-F24X-RM6G-3W5V...
GHSA-F24X-RM6G-3W5V Directus tokens are not redacted in flow logs, exposing session credentials to all admin
Summary When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Impact Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them...
Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged
Summary When using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Impact Malicious admins can log sensitive data from other users when they are created or updated. Workarounds Avoid...
GHSA-X3VM-88HF-GPXP Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged
Summary When using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Impact Malicious admins can log sensitive data from other users when they are created or updated. Workarounds Avoid...
CVE-2025-53885
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template...
CVE-2025-53886
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in...
CVE-2025-53887
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without...