CVE-2021-26594

In Directus 8.x through 8.8.1, an attacker can switch to the administrator role via the PATCH method without any control by the back end. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...

CVE-2021-26595

In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. NOTE: This vulnerability only affects products th...

CVE-2021-26593

In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/id. For each call, they get in response a lot of information about the user such as email address, first name, and last name but also the secret for 2FA if one exists. This secret can be regenerated. NOTE...

CVE-2021-29641

Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain...

CVE-2020-19850

An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests...

CVE-2019-13979

In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads//originals remote code execution...

CVE-2019-13982

interfaces/markdown/input.vue in Directus 7 Application before 7.7.0 does not sanitize Markdown text before rendering a preview...

CVE-2019-13981

In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads//originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the thumbnailer...

CVE-2019-13980

In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads//originals remote code execution with nginx...

CVE-2019-13984

Directus 7 API before 2.3.0 does not validate uploaded files. Regardless of the file extension or MIME type, there is a direct link to each uploaded file, accessible by unauthenticated users, as demonstrated by the EICAR Anti-Virus Test File...

CVE-2019-13983

Directus 7 API before 2.2.2 has insufficient anti-automation, as demonstrated by lack of a CAPTCHA in core/Directus/Services/AuthService.php and endpoints/Auth.php...

The vulnerability of the application software interface for managing database content in SQL Directus, which allows a hacker to increase their privileges

The vulnerability of the application software interface for managing database content in SQL Directus is related to insecure management of privileges. Exploiting this vulnerability could allow a malicious actor to enhance their privileges by using certain administrative functions remotely...

@deconz-community/directus-extension-ddf-store (=0.1.0), datacore-mv (=10.3.0) +2 more potentially affected by CVE-2024-47822 via @directus/api (>=10.0.0 <=21.0.0-rc.0)

@directus/api NPM version =10.0.0, =10.0.0, =1.0.0, =2.0.0 Source cves: CVE-2024-47822 Source advisory: OSV:GHSA-VW58-PH65-6RXP...

Denial Of Service (DoS)

@directus/storage-driver-s3 is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of malformed transformation requests, which allows an attacker to trigger a state where all assets return 403 errors, leading to asset unavailability across all Directus policies...

Denial Of Service (DoS)

@directus/storage-driver-s3 is vulnerable to Denial Of Service DoS. The vulnerability is due to asset unavailability caused by excessive HEAD requests, which allows an attacker to trigger 403 errors for all assets and deny access across all Directus policies...

Unauthorized API Access

Directus is vulnerable to unauthorized API access by suspended users. The vulnerability is due to missing session validation due to the absence of a check in verifySessionJWT to confirm if a user is still active and authorized...

CVE-2025-30351

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a check missing in...

CVE-2025-30225

Directus is a real-time API and App dashboard for managing SQL database content. The @directus/storage-driver-s3 package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unavailability after a...

CVE-2025-30352

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the search query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the...

CVE-2025-30350

Directus is a real-time API and App dashboard for managing SQL database content. The @directus/storage-driver-s3 package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset unavailability after a...