EUVD-2018-2793

Malware in sbrugna...

EUVD-2025-21396

Malicious code in bioql PyPI...

CVE-2025-53885 Directus doesn't redact sensitive user data when logging via event hooks

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template...

CVE-2025-30352

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the search query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the...

GHSA-7WQ3-JR35-275C Directus `search` query parameter allows enumeration of non permitted fields

Summary The search query parameter allows users with access to a collection to filter items based on fields they do not have permission to view. This allows the enumeration of unknown field contents. Details The searchable columns numbers & strings are not checked against permissions when injecti...

CVE-2025-30351

CVE-2025-30351 affects Directus: real-time API and app dashboard for SQL DB content. From version 10.10.0 up to, but not including, 11.5.0, a suspended user can keep using a token from session auth to access the API because verifySessionJWT does not check that the user is still active. This enabl...

CVE-2025-30351 Suspended Directus user can continue to use session token to access API

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a check missing in...