Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

836 matches found

NVD
NVDadded 2025/01/23 6:15 p.m.21 views

CVE-2025-24353

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instanc...

5CVSS0.00372EPSS
Exploits1References5
Cvelist
Cvelistadded 2025/01/23 5:45 p.m.19 views

CVE-2025-24353 Directus privilege escalation vulnerability using Share feature

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instanc...

5CVSS0.00372EPSS
Exploits1References5
OSV
OSVadded 2025/01/23 5:45 p.m.5 views

CVE-2025-24353 Directus privilege escalation vulnerability using Share feature

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instanc...

5CVSS7.3AI score0.00372EPSS
Exploits1References7
CVE
CVEadded 2025/01/23 5:45 p.m.105 views

CVE-2025-24353

Directus prior to version 11.2.0 is vulnerable to privilege escalation via the share feature. A user can specify an arbitrary role when sharing an item, enabling access to fields that should be restricted for their role. Affected instances are those using the share feature with a role hierarchy a...

5CVSS5.4AI score0.00372EPSS
Exploits1References5Affected Software1
Vulnrichment
Vulnrichmentadded 2025/01/23 5:45 p.m.5 views

CVE-2025-24353 Directus privilege escalation vulnerability using Share feature

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instanc...

5CVSS5.4AI score0.00372EPSS
Exploits1References5
CNNVD
CNNVDadded 2025/01/23 12:0 a.m.4 views

Directus 安全漏洞

Directus is a real-time Api and application dashboard open-sourced by Directus. It is used to manage Sql database content. A security vulnerability exists in Directus versions prior to 11.2.0 that stems from the ability of a user to specify arbitrary roles when sharing a project, resulting in a...

5CVSS6.5AI score0.00372EPSS
Exploits1References6
Positive Technologies
Positive Technologiesadded 2025/01/23 12:0 a.m.5 views

PT-2025-5336 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus versions prior to 11.2.0 Description: The issue allows a typical user to specify an arbitrary role when sharing an item, enabling them to use a higher-privileged role to view fields they should not be able to see. This affects...

5CVSS7.2AI score0.00372EPSS
Exploits1References12
Veracode
Veracodeadded 2024/12/19 6:58 a.m.14 views

Unauthorized Access

directus is vulnerable to Unauthorized Access. The vulnerability is due to improper authentication handling when WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH is set to "public," allowing unauthenticated users to perform CRUD operations and subscribe to changes with full admin privileges...

7.5CVSS7.4AI score0.00577EPSS
Exploits1References4Affected Software2
Veracode
Veracodeadded 2024/12/17 1:12 p.m.8 views

HTML Injection

Directus is vulnerable to HTML Injection. The vulnerability is due to the filtering of restricted characters, such as HTML tags, being implemented on the client-side, which can be bypassed. It allowing an attacker to inject malicious HTML content...

5.7CVSS6.5AI score0.00333EPSS
Exploits1References4Affected Software2
NVD
NVDadded 2024/12/09 9:15 p.m.21 views

CVE-2024-54151

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions...

7.5CVSS0.00577EPSS
Exploits1References2
Cvelist
Cvelistadded 2024/12/09 8:57 p.m.41 views

CVE-2024-54151 Directus allows unauthenticated access to WebSocket events and operations

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions...

7.5CVSS0.00577EPSS
Exploits1References2
Vulnrichment
Vulnrichmentadded 2024/12/09 8:57 p.m.18 views

CVE-2024-54151 Directus allows unauthenticated access to WebSocket events and operations

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions...

7.5CVSS7.8AI score0.00577EPSS
Exploits1References2
CVE
CVEadded 2024/12/09 8:57 p.m.118 views

CVE-2024-54151

Directus vulnerability CVE-2024-54151 affects Directus real-time API/admin dashboard. From version 11.0.0 up to, but not including, 11.3.0, configuring WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public" allows unauthenticated users to perform any supported operations (CRUD, subscriptions...

7.5CVSS8.1AI score0.00577EPSS
Exploits1References2Affected Software1
OSV
OSVadded 2024/12/09 8:57 p.m.8 views

CVE-2024-54151 Directus allows unauthenticated access to WebSocket events and operations

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions...

7.5CVSS7.2AI score0.00577EPSS
Exploits1References4
OSV
OSVadded 2024/12/09 8:40 p.m.15 views

GHSA-849R-QRWJ-8RV4 Directus allows unauthenticated access to WebSocket events and operations

Summary When setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions with full admin privileges. Details Accountability for unauthenticated WebSocket requests is set to null, which used to be "publi...

7.5CVSS7.5AI score0.00577EPSS
Exploits1References4
CNNVD
CNNVDadded 2024/12/09 12:0 a.m.3 views

Directus 信息泄露漏洞

Directus is a real-time Api and application dashboard open-sourced by Directus. It is used to manage Sql database content. An information disclosure vulnerability exists in Directus version 11.0.0 and versions prior to 11.3.0, which stems from a setting of WEBSOCKETSGRAPHQLAUTH or...

7.5CVSS6AI score0.00577EPSS
Exploits1References2
OSV
OSVadded 2024/12/05 10:37 p.m.4 views

GHSA-R6WX-627V-GH2F Directus has an HTML Injection in Comment

Summary The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. Details The Comment feature implements a...

5.7CVSS5.9AI score0.00333EPSS
Exploits1References5
NVD
NVDadded 2024/12/05 5:15 p.m.24 views

CVE-2024-54128

Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application...

5.7CVSS0.00333EPSS
Exploits1References1
Vulnrichment
Vulnrichmentadded 2024/12/05 4:55 p.m.9 views

CVE-2024-54128 Directus has an HTML Injection in Comment

Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application...

5.7CVSS7.1AI score0.00333EPSS
Exploits1References1
Cvelist
Cvelistadded 2024/12/05 4:55 p.m.22 views

CVE-2024-54128 Directus has an HTML Injection in Comment

Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application...

5.7CVSS0.00333EPSS
Exploits1References1
Rows per page
Query Builder