Lucene search
K
MonospaceDirectus

54 matches found

CVE
CVE
added 2023/07/25 10:6 p.m.2512 views

CVE-2023-38503

Directus (real-time API/dashboard for SQL data) has an authentication/authorization flaw in GraphQL subscriptions. From version 10.3.0 up to, but not including, 10.5.0, permission filters like user_created IS $CURRENT_USER are not properly enforced for subscription events, allowing unauthorized u...

6.5CVSS6AI score0.00426EPSS
CVE
CVE
added 2023/03/03 9:49 p.m.133 views

CVE-2023-26492

Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to /files/import), exploitable via DNS rebinding to bypass IP deny lists and access sensitive internal data. Affected versions include Directus prior to 9.23.0 (e.g.,

7.5CVSS6.5AI score0.0096EPSS
Web
CVE
CVE
added 2024/03/01 3:37 p.m.129 views

CVE-2024-27295

Directus vulnerability CVE-2024-27295: the password reset flow can be abused due to accent-insensitive and case-insensitive comparisons in MySQL/MariaDB, enabling an attacker to request a reset for a victim’s account by using a near-identical email address (with accented characters). The issue af...

8.2CVSS8.3AI score0.00702EPSS
CVE
CVE
added 2024/12/09 8:57 p.m.122 views

CVE-2024-54151

Directus vulnerability CVE-2024-54151 affects Directus real-time API/admin dashboard. From version 11.0.0 up to, but not including, 11.3.0, configuring WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public" allows unauthenticated users to perform any supported operations (CRUD, subscriptions...

7.5CVSS8.1AI score0.00588EPSS
CVE
CVE
added 2025/08/20 5:58 p.m.121 views

CVE-2025-55746

Directus vulnerability (CVE-2025-55746) affects Directus real-time API/dashboard. From 10.8.0 to before 11.9.3, an issue in the file update mechanism lets an unauthenticated actor modify existing files with arbitrary content and/or upload new files (with arbitrary extensions) without updating dat...

9.3CVSS7.9AI score0.00438EPSS
CVE
CVE
added 2024/03/01 3:43 p.m.120 views

CVE-2024-27296

CVE-2024-27296 affects Directus: prior to 10.8.3, the exact Directus version is shipped in compiled JS bundles accessible without authentication, enabling attackers to map to known vulnerabilities in Directus core or dependencies. The issue has been fixed in 10.8.3 and later. Remediation is upgra...

5.3CVSS5.5AI score0.0057EPSS
CVE
CVE
added 2025/03/26 5:26 p.m.112 views

CVE-2025-30353

Directus vulnerability (CVE-2025-30353): In Directus, flows using the Webhook trigger with the Data of Last Operation response can disclose sensitive data when a ValidationError occurs. Affected versions are 9.12.0 up to, but not including, 11.5.0. The exposure includes environment variables, API...

8.6CVSS7.6AI score0.00505EPSS
CVE
CVE
added 2024/03/12 8:23 p.m.111 views

CVE-2024-28239

CVE-2024-28239 affects Directus. The authentication API’s redirect parameter can be exploited to perform an open redirect during login (e.g., redirect to http://malicious-fishing-site.com after OAuth2 login). This can enable phishing by steering users to a forged error page while using a legitima...

5.4CVSS5.8AI score0.00583EPSS
CVE
CVE
added 2024/10/08 5:54 p.m.111 views

CVE-2024-47822

CVE-2024-47822 – Directus : The issue arises from access tokens in query strings not being redacted when LOG_STYLE is set to raw, allowing potential exposure of long‑lived tokens in system logs. This could enable an attacker with log access to gain administrative control or perform unauthorized d...

4.2CVSS4.9AI score0.00312EPSS
CVE
CVE
added 2023/03/23 11:13 p.m.109 views

CVE-2023-28443

CVE-2023-28443 affects Directus before version 9.23.3, where the token directus_refresh_token is not redacted in logs, enabling potential user impersonation. The root cause is improper token redaction in log output, leading to sensitive data exposure via logging. The vulnerability requires access...

5.5CVSS5AI score0.00312EPSS
CVE
CVE
added 2024/12/05 4:55 p.m.109 views

CVE-2024-54128

Directus (Comment feature) is vulnerable to HTML injection because a client-side filter for restricted characters can be bypassed. The CVE notes that this bypass enables injection of HTML content, with documented impact and a fix in versions 10.13.4 and 11.2.0. Affected components: Directus core ...

5.7CVSS5.7AI score0.00339EPSS
CVE
CVE
added 2024/03/12 8:24 p.m.108 views

CVE-2024-28238

CVE-2024-28238 concerns Directus, where a session token (JWT) is sent via GET on the /files page. This exposes tokens to logs (web servers, browser history), enabling potential session hijacking and unauthorized actions if an attacker accesses those logs. Public sources in the connected documents...

2.3CVSS3.7AI score0.00245EPSS
CVE
CVE
added 2025/01/23 5:45 p.m.107 views

CVE-2025-24353

Directus prior to version 11.2.0 is vulnerable to privilege escalation via the share feature. A user can specify an arbitrary role when sharing an item, enabling access to fields that should be restricted for their role. Affected instances are those using the share feature with a role hierarchy a...

5CVSS5.4AI score0.00372EPSS
CVE
CVE
added 2022/12/26 12:0 a.m.103 views

CVE-2022-26969

CVE-2022-26969 affects Directus prior to version 9.7.0, where the default settings for CORS_ORIGIN and CORS_ENABLED are true. The Red Hat and NVD entries confirm this issue, with a high-severity CVSS v3.1 base score (9.8, CRITICAL) and a network-based vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)....

9.8CVSS9.4AI score0.00927EPSS
CVE
CVE
added 2025/03/26 4:49 p.m.99 views

CVE-2025-30350

Directus and its storage-driver-s3 component are affected by a DoS-like asset unavailability vulnerability triggered by a burst of HEAD requests. Affected range: @directus/storage-driver-s3 versions prior to 12.0.1 (corresponding to Directus 9.22.0–11.5.0). When many HEAD checks occur, assets can...

5.3CVSS7.6AI score0.00406EPSS
CVE
CVE
added 2024/07/08 4:47 p.m.97 views

CVE-2024-39895

Directus (graph-based API) is affected by a DoS via GraphQL field duplication. An attacker can craft a query to duplicate fields (e.g., GraphQL /graphql calls in dashboards), causing excessive resource usage and service unavailability. The vulnerability is fixed in Directus 10.12.0. Remediation: ...

6.5CVSS6.5AI score0.00795EPSS
CVE
CVE
added 2025/07/14 11:35 p.m.97 views

CVE-2025-53886

Directus vulnerability CVE-2025-53886 affects Directus with Flows using the WebHook trigger prior to version 11.9.0. The issue logs all incoming request details, including sensitive data such as access and refresh tokens stored in cookies, enabling a user with log access (malicious admins) to hij...

4.5CVSS7AI score0.00387EPSS
CVE
CVE
added 2024/07/08 5:27 p.m.96 views

CVE-2024-39896

Directus (real-time API/admin for SQL content) has a user-enumeration flaw when relying on SSO providers together with local login. If an email exists and belongs to a known SSO provider, Directus may emit a “helpful” error indicating the user belongs to another provider, enabling enumeration of ...

7.5CVSS7.5AI score0.00506EPSS
CVE
CVE
added 2025/03/26 5:13 p.m.95 views

CVE-2025-30351

CVE-2025-30351 affects Directus: real-time API and app dashboard for SQL DB content. From version 10.10.0 up to, but not including, 11.5.0, a suspended user can keep using a token from session auth to access the API because verifySessionJWT does not check that the user is still active. This enabl...

4.3CVSS7.7AI score0.00337EPSS
CVE
CVE
added 2024/06/03 2:59 p.m.93 views

CVE-2024-36128

Directus (Real-time API/dashboard for SQL databases) is affected by CVE-2024-36128 prior to version 10.11.2. Providing a non-numeric length to the random string generation utility triggers a memory issue that disrupts random session IDs, causing a denial of service where logged-in sessions can no...

7.5CVSS7.4AI score0.0062EPSS
CVE
CVE
added 2024/07/08 3:32 p.m.93 views

CVE-2024-39699

Directus has a Blind SSRF via redirects in file import. The vulnerability arises because redirects are allowed during URL-based imports and the response URL isn’t validated, enabling requests to internal IPs (e.g., 127.0.0.1) despite earlier fixes that only validated DNS/internal IPs. The issue i...

5CVSS5.3AI score0.00435EPSS
CVE
CVE
added 2025/03/26 5:18 p.m.92 views

CVE-2025-30352

CVE-2025-30352 affects Directus real-time API/dashboard. Versions 9.0.0-alpha.4 through 11.5.0 are vulnerable due to the search query parameter not checking view permissions when constructing WHERE clauses, allowing enumeration of contents in fields the user should not see. The underlying issue i...

5.3CVSS7.7AI score0.00345EPSS
CVE
CVE
added 2025/03/26 4:27 p.m.91 views

CVE-2025-30225

The CVE affects Directus users via the @directus/storage-driver-s3 driver: versions 9.22.0 up to 11.5.0 (paired Directus 9.22.0 to 11.5.0) are vulnerable to asset unavailability after a burst of malformed transformation requests, causing all assets to return 403 under load. The issue is fixed in ...

5.3CVSS7.6AI score0.00406EPSS
CVE
CVE
added 2024/07/08 4:43 p.m.89 views

CVE-2024-39701

Directus (versions 9.23.0 through 10.5.3) improperly handles the _in and _nin operators by evaluating empty arrays as valid, causing Broken Access Control where a rule like {"role": {"_in": $CURRENT_USER.some_field}} may pass unexpectedly. The issue is fixed in Directus 10.6.0. Affected deploymen...

7.7CVSS6.4AI score0.00423EPSS
CVE
CVE
added 2025/02/19 4:42 p.m.87 views

CVE-2025-27089

Directus has a vulnerability (CVE-2025-27089) where overlapping update policies can cause a user to update fields not permitted for a specific item. Root cause: the system previously validated access at the item level; the fix evaluates permissions per field in the validateItemAccess query and re...

5.4CVSS5.8AI score0.0022EPSS
CVE
CVE
added 2024/09/10 6:43 p.m.86 views

CVE-2024-45596

Summary: Directus real-time API/dashboard contains a vulnerability where an unauthenticated user can obtain the credentials of the last authenticated user via OpenID or OAuth2 when the redirect parameter is missing. Root cause: the respond middleware caches certain GET requests, and the condition...

7.4CVSS7.6AI score0.00618EPSS
CVE
CVE
added 2024/09/18 4:55 p.m.85 views

CVE-2024-46990

Summary: CVE-2024-46990 affects Directus where blocking localhost via the default 0.0.0.0 filter can be bypassed using other loopback addresses (e.g., 127.0.0.2–127.127.127.127). Vulnerability details (supported by connected docs): Directus real-time API and app dashboard fails to restrict access...

5CVSS5.4AI score0.00463EPSS
CVE
CVE
added 2024/05/13 7:33 p.m.84 views

CVE-2024-34708

Directus 10.x is affected by a Sensitive Information Disclosure vulnerability where a user with permission to view any collection can bypass redaction via the alias API parameter (alias[workaround]=redacted), exposing plaintext values of hashed fields. The root cause is improper handling of the a...

4.9CVSS6.7AI score0.00757EPSS
CVE
CVE
added 2024/05/13 7:39 p.m.80 views

CVE-2024-34709

Directus before version 10.11.0 does not invalidate session tokens on logout. The directus_session cookie is destroyed, but if the cookie value is captured, it remains valid for the token’s full expiry (1 day by default), effectively making it a long-lived, unrevokable stateless token. The issue ...

5.4CVSS5.6AI score0.0045EPSS
CVE
CVE
added 2024/08/15 3:10 a.m.76 views

CVE-2024-6534

CVE-2024-6534 affects Directus v10.13.0. An authenticated external attacker can modify presets created by the same user to assign them to another user due to insufficient validation of the user parameter in PATCH /presets (only POST /presets is validated). This vulnerability, when chained with CV...

4.3CVSS4.2AI score0.00326EPSS
CVE
CVE
added 2022/08/19 8:40 p.m.68 views

CVE-2022-36031

Directus CVE-2022-36031 affects the Directus data platform. The issue arises when an authorized (non-admin) user with permission to update the filename_disk field on directus_files changes the value to a folder and then accesses that file via the /assets endpoint, causing the Directus process to ...

6.5CVSS6.5AI score0.00837EPSS
CVE
CVE
added 2024/08/15 3:4 a.m.65 views

CVE-2024-6533

Directus 10.13.0 is affected by a DOM-based XSS flaw where an authenticated attacker can inject and store an attacker-controlled value that is rendered into an unsanitized DOM element on the client. The issue stems from how a parameter is stored on the server and later used by the client, enablin...

5.4CVSS4.8AI score0.00358EPSS
CVE
CVE
added 2023/03/07 6:20 p.m.61 views

CVE-2023-27481

CVE-2023-27481—Directus password-hash exposure risk : Directus prior to 9.16.0 allowed users with read access to the password field in directus_users to enumerate argon2 password hashes by abusing the export function with a _starts_with filter. The root cause is a permissive filtering path on has...

4.3CVSS4.8AI score0.00604EPSS
CVE
CVE
added 2023/10/19 6:38 p.m.58 views

CVE-2023-45820

Directus is vulnerable to a DoS via invalid WebSocket frames. When websockets are enabled, receiving an invalid frame can crash the Directus server, leading to high availability impact. The issue affects Directus installations with websockets enabled and has been addressed in version 10.6.2; upgr...

6.5CVSS6.2AI score0.00689EPSS
CVE
CVE
added 2023/04/04 12:0 a.m.57 views

CVE-2020-19850

CVE-2020-19850 affects Directus API v2.2.0. It allows a remote attacker to cause a denial of service by sending a large number of HTTP requests. CVSS v3.1 base score 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). The vulnerability concerns Directus API’s handling of request volume and could impact av...

6.5CVSS6.3AI score0.01079EPSS
CVE
CVE
added 2025/07/14 11:50 p.m.49 views

CVE-2025-53889

Summary: CVE-2025-53889 affects Directus up to 11.9.0 where manual trigger Flows do not validate whether the triggering user has read permissions for payload items, potentially allowing unauthorized actions. The issue is fixed in 11.9.0; a workaround is to add permission checks for read access to...

6.5CVSS7.1AI score0.00395EPSS
CVE
CVE
added 2025/07/14 11:18 p.m.46 views

CVE-2025-53885

Directus Flows logs can disclose sensitive user data via the Log to Console operation. Affected: Directus real-time API/dashboard prior to 11.9.0 (versions 9.0.0–11.8.x). Root cause: logging unfettered input during user create/update events, enabling a malicious admin to view other users’ data. I...

4.2CVSS7AI score0.0017EPSS
CVE
CVE
added 2025/07/14 11:40 p.m.33 views

CVE-2025-53887

Summary: Directus prior to 11.9.0 exposes the exact running version via the OpenAPI spec at /server/specs/oas, enabling targeted lookups for known vulnerabilities in Directus core and dependencies. This information disclosure is fixed in 11.9.0. What’s affected: Directus real-time API and app das...

5.3CVSS7AI score0.00452EPSS
CVE
CVE
added 2026/04/09 4:12 p.m.31 views

CVE-2026-39943

CVE-2026-39943 (Directus) affects Directus prior to v11.17.0. The revision-snapshot path writes revisions to directus_revisions without consistently applying the prepareDelta sanitization, potentially storing sensitive fields (tokens, 2FA secrets, external auth identifiers, auth data, credentials...

6.5CVSS6AI score0.0017EPSS
CVE
CVE
added 2026/04/06 9:34 p.m.26 views

CVE-2026-35413

Directus CVE-2026-35413 exposes schema structure via the server_specs_graphql resolver on /graphql/system when GRAPHQL_INTROSPECTION is false. Multiple trusted sources (Directus advisories, Red Hat, OSV, Snyk, etc.) confirm that before version 11.16.1, SDL-style schema data could be retrieved by ...

5.3CVSS5.9AI score0.00314EPSS
CVE
CVE
added 2026/02/12 9:54 p.m.25 views

CVE-2026-26185

Directus before v11.14.1 is affected by a timing-based user enumeration vulnerability in the password reset flow. When an invalid reset_url is supplied, responses differ by about 500ms between existing and non-existing users, enabling enumeration of valid usernames. The issue is fixed in v11.14.1...

5.3CVSS5.7AI score0.00349EPSS
CVE
CVE
added 2026/04/06 9:33 p.m.25 views

CVE-2026-35411

Directus prior to 11.16.1 is vulnerable to an open redirect on the /admin/tfa-setup page via the redirect parameter. An administrator who has not configured 2FA can be presented with the legitimate 2FA setup page, and after completing setup the app redirects to an attacker‑controlled URL without ...

4.3CVSS5.9AI score0.00256EPSS
CVE
CVE
added 2026/04/06 9:31 p.m.23 views

CVE-2026-35409

Directus SSRF protection bypass (CVE-2026-35409) arises from inadequate normalization of IPv4-mapped IPv6 addresses in the deny-list, allowing requests to internal/private targets to bypass the IP filter in file import workflows. Affected product: Directus real-time API/dashboard; vulnerability f...

7.7CVSS5.8AI score0.00336EPSS
CVE
CVE
added 2026/01/08 2:32 p.m.19 views

CVE-2026-22032

Directus before v11.14.0 has an open redirect in the SAML authentication callback endpoint. The RelayState used to preserve the original destination is not validated for the callback, enabling an attacker to redirect users to an arbitrary external URL after login completion. The issue affects bot...

6.1CVSS7.2AI score0.00196EPSS
CVE
CVE
added 2026/04/06 9:36 p.m.19 views

CVE-2026-35441

Directus CVE-2026-35441 affects Directus up to version 11.16.x, with the GraphQL endpoints /graphql and /graphql/system failing to deduplicate resolver invocations within a single request. The vulnerability allows an authenticated user to abuse GraphQL aliasing to trigger many expensive relationa...

6.5CVSS6AI score0.00361EPSS
CVE
CVE
added 2025/11/13 8:54 p.m.18 views

CVE-2025-64746

Directus before 11.13.0 improperly cleans up field-level permissions when a field is deleted. A stale permission reference remains in the permissions table; if a new field with the same name is created, it inherits those outdated permissions, potentially granting access to data users should not r...

5.4CVSS6.9AI score0.00166EPSS
CVE
CVE
added 2026/04/06 9:32 p.m.18 views

CVE-2026-35410

CVE-2026-35410 – Directus open redirect : The vulnerability lies in Directus’ login redirection logic, where the isLoginRedirectAllowed function can misclassify malformed URLs as internal, bypassing the redirect allow-list and sending authenticated users to arbitrary external domains. Affected so...

6.1CVSS6.1AI score0.00256EPSS
CVE
CVE
added 2026/04/06 9:36 p.m.17 views

CVE-2026-35442

CVE-2026-35442 affects Directus prior to 11.17.0, where aggregate functions (min/max) on fields with the concealed type can return raw database values instead of masked placeholders. When used with groupBy, any authenticated user with read access to the affected collection can extract concealed v...

8.1CVSS5.9AI score0.00337EPSS
CVE
CVE
added 2026/04/09 4:7 p.m.17 views

CVE-2026-39942

CVE-2026-39942 (Directus) is a path traversal/broken access control issue in the Directus file management API. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. An attacker can set filename_disk to the storage path of another user’s file, allowing...

8.8CVSS5.9AI score0.00204EPSS
CVE
CVE
added 2025/11/13 9:13 p.m.15 views

CVE-2025-64747

CVE-2025-64747 describes a stored XSS in Directus prior to version 11.13.0. Attackers with upload files and edit item permissions can inject JavaScript via the Block Editor interface. The technique exploits insufficient sanitization and uses an iframe with a srcdoc attribute to bypass CSP, enabli...

5.5CVSS5.5AI score0.00215EPSS
Total number of security vulnerabilities54