EUVD-2026-20950

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...

Information Exposure

Overview @directus/api is a real-time API and App dashboard for managing SQL database content Affected versions of this package are vulnerable to Information Exposure via the password reset functionality. An attacker can determine the existence of user accounts by measuring response time...

@bicou/directus-extension-imagga (>=1.6.3 <=1.6.6), @deconz-community/directus-extension-ddf-store (=0.1.0) +7 more potentially affected by CVE-2026-26185 via @directus/api (>=10.0.0 <=32.1.1)

@directus/api NPM version =10.0.0, =1.6.3, =1.2.2, =10.0.0, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2026-26185 Source advisory: OSV:GHSA-JR94-GJ3H-C8RF...

CVE-2023-45820

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash Directus. This issue has...

CVE-2024-39895

Directus is a real-time API and App dashboard for managing SQL database content. A denial of service DoS attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single...

@bicou/directus-extension-imagga (>=1.6.3 <=1.6.6), @deconz-community/directus-extension-ddf-store (=0.1.0) +7 more potentially affected by CVE-2026-22032 via @directus/api (>=10.0.0 <=32.1.0)

@directus/api NPM version =10.0.0, =1.6.3, =1.2.2, =10.0.0, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2026-22032 Source advisory: OSV:GHSA-3573-4C68-G8CC...

@bgord/bun (>=1.0.2 <=1.2.4), @devix-tecnologia/utils-ts (=1.0.0) +38 more potentially affected by CVE-2025-14874 via nodemailer (=7.0.10)

nodemailer NPM version =7.0.10 is affected by a known vulnerability. The following packages have a transitive dependency on nodemailer and may be impacted: - @bgord/bun =1.0.2, =32.0.0, =4.0.1, =4.9.5, =8.0.1, =8.0.2, =11.3.0, =5.8.38, =1.9.0, =2.1.6, =1.8.0, =0.3.2, =2.17.15 and more Source cves...

@bicou/directus-extension-imagga (>=1.6.3 <=1.6.6), @deconz-community/directus-extension-ddf-store (=0.1.0) +7 more potentially affected by CVE-2025-64749 via @directus/api (>=10.0.0 <=31.0.0)

@directus/api NPM version =10.0.0, =1.6.3, =1.2.2, =10.0.0, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2025-64749 Source advisory: OSV:GHSA-CPH6-524F-3HGR...

GHSA-CPH6-524F-3HGR Directus Vulnerable to Information Leakage in Existing Collections

Summary: An observable difference in error messaging was found in the Directus REST API. The /items/collection API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existi...

@bicou/directus-extension-imagga (>=1.6.3 <=1.6.6), @deconz-community/directus-extension-ddf-store (=0.1.0) +7 more potentially affected by CVE-2025-64748 via @directus/api (>=10.0.0 <=31.0.0)

@directus/api NPM version =10.0.0, =1.6.3, =1.2.2, =10.0.0, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2025-64748 Source advisory: OSV:GHSA-8JPW-GPR4-8CMH...

Insertion of Sensitive Information Into Sent Data

Overview @directus/api is a real-time API and App dashboard for managing SQL database content Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to concealed fields being searchable if read permissions enabled. An attacker can infer the...

CVE-2025-64749

Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The /items/collection API returns different error messages for two cases: when a user...

Access Control Bypass

Overview @directus/api is a real-time API and App dashboard for managing SQL database content Affected versions of this package are vulnerable to Access Control Bypass due to improper cleanup of field-level permissions when a field is deleted. An attacker can gain unauthorized access to data by...

EUVD-2019-5242

Malware in sbrugna...

EUVD-2019-5241

Malware in sbrugna...

EUVD-2023-1055

Malicious code in bioql PyPI...

EUVD-2024-0833

Malicious code in bioql PyPI...

EUVD-2024-2287

Malicious code in bioql PyPI...

EUVD-2024-2769

Malicious code in bioql PyPI...

EUVD-2024-1618

Malicious code in bioql PyPI...