Lucene search
K

833 matches found

CNNVD
CNNVD
added 2026/04/06 12:0 a.m.8 views

Directus 输入验证错误漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Prior to Directus 11.16.1, there was a vulnerability related to input validation errors. This vulnerability stemmed from the isLoginRedirectAllowed function failing...

6.1CVSS5.8AI score0.00256EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.9 views

Directus 安全漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.17.0 contained a security vulnerability. This vulnerability stemmed from the lack of the Cross-Origin-Opener-Policy header on the...

9.3CVSS5.9AI score0.00169EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.10 views

Directus 信息泄露漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.16.1 contained a vulnerability related to information leakage. This vulnerability stemmed from the serverspecs GraphQL parser not...

5.3CVSS5.9AI score0.00314EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.7 views

Directus 代码问题漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.16.0 have code vulnerabilities; these vulnerabilities stem from the IP address verification mechanism, which can be bypassed by IPv...

7.7CVSS5.9AI score0.00336EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.13 views

Directus 安全漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.16.1 contained a security vulnerability. This vulnerability stemmed from the TUS recoverable upload endpoint, which only performed...

8.1CVSS6AI score0.00302EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/04 6:13 a.m.8 views

@altipla/directus-sdk-utils (=0.7.2), @depup/directus (=11.16.1-depup.0) +6 more potentially affected by CVE-2026-35442 via directus (>=10.10.0 <=11.16.1)

directus NPM version =10.10.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2026-35442 Source advisory: OSV:GHSA-38HG-WW64-RRWC...

8.1CVSS5.8AI score0.00337EPSS
Exploits0
OSV
OSV
added 2026/04/04 6:13 a.m.9 views

GHSA-38HG-WW64-RRWC Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries

Summary Aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, includi...

8.1CVSS5.9AI score0.00337EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/04 6:13 a.m.7 views

Incorrect Authorization

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Incorrect Authorization in the aggregate query process when applying min or max functions to fields marked as concealed. An attacker can...

8.6CVSS5.9AI score0.00337EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/04 6:13 a.m.10 views

Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries

Summary Aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, includi...

8.1CVSS5.9AI score0.00337EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/04 6:13 a.m.2 views

GHSA-6Q22-G298-GRJH Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

7.5CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/04 6:13 a.m.4 views

Allocation of Resources Without Limits or Throttling

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the health check resolver process. An attacker can exhaust system resources, leading...

8.7CVSS6AI score
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/04 6:13 a.m.9 views

@altipla/directus-sdk-utils (=0.7.2), @depup/directus (=11.16.1-depup.0) +6 more potentially affected by unknown CVE via directus (>=10.10.0 <=11.16.1)

directus NPM version =10.10.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: unknown CVE Source advisory: OSV:GHSA-6Q22-G298-GRJH...

5.8AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/04/04 6:13 a.m.12 views

Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

6AI score
Exploits0References2Affected Software1
vulnersOsv
vulnersOsv
added 2026/04/04 6:12 a.m.9 views

@altipla/directus-sdk-utils (=0.7.2), @depup/directus (=11.16.1-depup.0) +6 more potentially affected by CVE-2026-35441 via directus (>=10.10.0 <=11.16.1)

directus NPM version =10.10.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2026-35441 Source advisory: OSV:GHSA-PH52-67FQ-75WJ...

6.5CVSS5.8AI score0.00361EPSS
Exploits0
Snyk
Snyk
added 2026/04/04 6:12 a.m.2 views

Allocation of Resources Without Limits or Throttling

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the GraphQL resolver process. An attacker can exhaust server resources and cause...

7.1CVSS6.1AI score0.00361EPSS
Exploits0References2
OSV
OSV
added 2026/04/04 6:12 a.m.3 views

GHSA-PH52-67FQ-75WJ Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits

Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...

6.5CVSS6AI score0.00361EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/04/04 6:12 a.m.7 views

@altipla/directus-sdk-utils (=0.7.2), @depup/directus (=11.16.1-depup.0) +6 more potentially affected by CVE-2026-39943 via directus (>=10.10.0 <=11.16.1)

directus NPM version =10.10.0, =15.0.0, =1.2.2, =1.0.0, =2.0.0 - directus-extension-blog-year-filter =1.0.0 Source cves: CVE-2026-39943 Source advisory: OSV:GHSA-MVV8-V4JJ-G47J...

6.5CVSS5.8AI score0.0017EPSS
Exploits0
OSV
OSV
added 2026/04/04 6:12 a.m.3 views

GHSA-MVV8-V4JJ-G47J Directus: Sensitive fields exposed in revision history

Summary Directus stores revision records in directusrevisions whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields including user tokens, two-factor authentication secrets, external auth...

6.5CVSS5.8AI score0.0017EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/04 6:12 a.m.4 views

Cleartext Storage of Sensitive Information

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the process that stores revision records and logs flow operation payloads, where sensitive fiel...

7.1CVSS5.9AI score0.0017EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/04 6:11 a.m.4 views

Incorrect Authorization

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Incorrect Authorization in the TUS upload process. An attacker can overwrite arbitrary files and corrupt metadata by uploading files with the...

8.1CVSS6AI score0.00302EPSS
Exploits0References2
Rows per page
Query Builder