CVE-2022-26969

In Directus before 9.7.0, the default settings of CORSORIGIN and CORSENABLED are true...

CVE-2025-64748

CVE-2025-64748 affects Directus (real-time API and app dashboard for SQL databases). Prior to 11.13.0, authenticated users with read permissions can search concealed/sensitive fields; while actual values are masked, matching records reveal existence of those values, enabling data enumeration. Aff...

EUVD-2024-2375

Malicious code in bioql PyPI...

GHSA-RMJH-CF9Q-PV7Q Directus' exact version number is exposed by the OpenAPI Spec

Summary The exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without authentication. Impact With the exact version information a malicious attacker can look for known vulnerabilities in Directus...

Directus' exact version number is exposed by the OpenAPI Spec

Summary The exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without authentication. Impact With the exact version information a malicious attacker can look for known vulnerabilities in Directus...

CVE-2025-53889

Summary: CVE-2025-53889 affects Directus up to 11.9.0 where manual trigger Flows do not validate whether the triggering user has read permissions for payload items, potentially allowing unauthorized actions. The issue is fixed in 11.9.0; a workaround is to add permission checks for read access to...

CVE-2025-53887 Directus's exact version number is exposed by the OpenAPI Spec

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without...

PT-2024-37695 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus version 10.13.0 Description: The issue allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter into an unsanitized DOM...

PT-2024-37696 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus version 10.13.0 Description: The issue allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in...

CVE-2022-23080

In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery SSRF in the media upload functionality which allows a low privileged user to perform internal network port scans...