CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/05/22 12:0 a.m.•6 views

PT-2026-42720

Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default file path, and then conceal this form element...

8.2CVSS5.8AI score0.00055EPSS

Packet Storm News•added 2026/04/26 12:0 a.m.•3 views

The Vehicle May Be Sick: Denial of Diagnostic Services by Exploiting the CAN Transport Protocol

Vehicle diagnostics has become essential for detecting in-vehicle errors and ensuring safety. While the Unified Diagnostic Services UDS protocol is widely adopted for diagnostic operations, it relies on the ISO 15765-2 standard as the transport protocol over the Controller Area Network CAN, which...

5.7AI score

Exploits0

RedhatCVE•added 2026/04/07 11:1 p.m.•4 views

CVE-2026-35442

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated...

NVD•added 2026/04/06 10:16 p.m.•4 views

CVE-2026-35442

8.1CVSS0.00018EPSS

Cvelist•added 2026/04/06 9:36 p.m.•15 views

CVE-2026-35442 Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries

8.1CVSS0.00018EPSS

CVE•added 2026/04/06 9:36 p.m.•9 views

CVE-2026-35442

CVE-2026-35442 affects Directus prior to 11.17.0, where aggregate functions (min/max) on fields with the concealed type can return raw database values instead of masked placeholders. When used with groupBy, any authenticated user with read access to the affected collection can extract concealed v...

Exploits0References1Affected Software1

ATTACKERKB•added 2026/04/06 9:36 p.m.•3 views

CVE-2026-35442

Exploits0References2Affected Software1

Vulnrichment•added 2026/04/06 9:36 p.m.•1 views

CVE-2026-35442 Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries

Snyk•added 2026/04/04 6:13 a.m.•4 views

Incorrect Authorization

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Incorrect Authorization in the aggregate query process when applying min or max functions to fields marked as concealed. An attacker can...

8.6CVSS5.9AI score0.00018EPSS

OSV•added 2026/04/04 6:13 a.m.•5 views

GHSA-38HG-WW64-RRWC Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries

Summary Aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, includi...

Github Security Blog•added 2026/04/04 6:13 a.m.•7 views

Exploits0References3

Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries

Exploits0References3Affected Software1

Positive Technologies•added 2026/04/04 12:0 a.m.•2 views

PT-2026-30332

Name of the Vulnerable Software and Affected Versions Directus affected versions not specified Description Aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any...

Veracode•added 2026/03/13 5:10 a.m.•6 views

Exploits0References5

Information Disclosure

Directus is vulnerable to information disclosure. The vulnerability is due to improper filtering of concealed fields in search queries, which allows an authenticated attacker to infer matches from returned records and enumerate sensitive data even though the values appear masked...

6.5CVSS5.8AI score0.00049EPSS

Exploits0References2Affected Software2

Positive Technologies•added 2026/02/13 12:0 a.m.•4 views

PT-2026-8006

Name of the Vulnerable Software and Affected Versions free5GC version 4.0.1 Description A flaw exists in the AMF component of free5GC that could allow a remote attacker to disrupt service. This happens due to an array index out of bounds condition when processing a specially crafted 5GS Mobile...

7.5CVSS5.5AI score0.00218EPSS

Exploits1References5

Github Security Blog•added 2025/11/13 11:6 p.m.•5 views

Directus's conceal fields are searchable if read permissions enabled

Summary A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Details The system permits sear...

6.5CVSS6.9AI score0.00049EPSS

Exploits0References4Affected Software2

EUVD•added 2025/11/13 11:6 p.m.•2 views

EUVD-2025-177193

Directus's conceal fields are searchable if read permissions enabled...

6.5CVSS6.5AI score0.00049EPSS

Snyk•added 2025/11/13 11:6 p.m.•2 views

Insertion of Sensitive Information Into Sent Data

Overview @directus/api is a real-time API and App dashboard for managing SQL database content Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to concealed fields being searchable if read permissions enabled. An attacker can infer the...

7.1CVSS7.5AI score0.00049EPSS

OSV•added 2025/11/13 11:6 p.m.•1 views

GHSA-8JPW-GPR4-8CMH Directus's conceal fields are searchable if read permissions enabled

6.5CVSS6.8AI score0.00049EPSS

Exploits0References4

NVD•added 2025/11/13 10:15 p.m.•1 views

CVE-2025-64748

Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected...

6.5CVSS0.00049EPSS