Directus Security Vulnerabilities and Issues — Directus CVE List

Lucene search

MonospaceDirectus

8 matches found

CVE•added 2024/03/01 4:15 p.m.•104 views

CVE-2024-27296

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known v...

5.3CVSS5.5AI score0.00334EPSS

CVE•added 2024/03/12 9:15 p.m.•91 views

CVE-2024-28239

Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a redirect parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There's a redirect that is done after successful login via the Auth A...

5.4CVSS5.8AI score0.00229EPSS

CVE•added 2023/03/24 12:15 a.m.•87 views

CVE-2023-28443

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the directus_refresh_token is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.

5.5CVSS5AI score0.00036EPSS

CVE•added 2024/07/08 4:15 p.m.•76 views

CVE-2024-39699

Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measur...

5CVSS5.3AI score0.00034EPSS

CVE•added 2025/02/19 5:15 p.m.•67 views

CVE-2025-27089

Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the update action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allow...

5.4CVSS5.8AI score0.00037EPSS

CVE•added 2024/05/14 3:39 p.m.•64 views

CVE-2024-34709

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directus_session gets destroyed and the cookie gets deleted but if the cookie value is c...

5.4CVSS5.6AI score0.00166EPSS

CVE•added 2024/08/15 3:15 a.m.•48 views

CVE-2024-6533

Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CV...

5.4CVSS4.8AI score0.00035EPSS

CVE•added 2025/07/15 12:15 a.m.•8 views

CVE-2025-53887

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without a...

5.3CVSS7AI score0.00063EPSS