directus
npm35 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting directuspage 1 of 1
- CVE-2020-19850MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.2.12023-04-04
vulnerable: 2.2.0
An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.
- CVE-2022-23080MEDIUMCVSS 5.0EG 5.0✓ Fixed in 9.7.02022-06-22
In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans.
- CVE-2022-24814HIGHCVSS 8.8EG 8.8✓ Fixed in 9.7.02022-04-04
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HT…
- CVE-2022-26969CRITICALCVSS 9.8EG 9.8✓ Fixed in 9.7.02022-12-26
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
- CVE-2022-36031MEDIUMCVSS 6.5EG 6.5✓ Fixed in 9.15.02022-08-19
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` e…
- CVE-2023-26492MEDIUMCVSS 5.0EG 5.0✓ Fixed in 9.23.02023-03-03
Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass …
- CVE-2023-27474HIGHCVSS 8.0EG 8.0✓ Fixed in 9.23.02023-03-06
Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker co…
- CVE-2023-27481MEDIUMCVSS 4.3EG 4.3✓ Fixed in 9.16.02023-03-07
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the exp…
- CVE-2023-28443MEDIUMCVSS 4.2EG 4.2✓ Fixed in 9.23.32023-03-24
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permiss…
- CVE-2023-38503MEDIUMCVSS 5.7EG 5.7✓ Fixed in 10.5.02023-07-25
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using Grap…
- CVE-2023-45820MEDIUMCVSS 5.9EG 5.9✓ Fixed in 10.6.22023-10-19
Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user …
- CVE-2024-27295HIGHCVSS 8.2EG 8.2✓ Fixed in 10.8.32024-03-01
Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a s…
- CVE-2024-27296MEDIUMCVSS 5.3EG 5.3✓ Fixed in 10.8.32024-03-01
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this inf…
- CVE-2024-28238LOWCVSS 2.3EG 2.3✓ Fixed in 10.10.02024-03-12
Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various …
- CVE-2024-28239MEDIUMCVSS 5.4EG 5.4✓ Fixed in 10.10.02024-03-12
Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There's…
- CVE-2024-34708MEDIUMCVSS 4.9EG 4.9✓ Fixed in 10.11.02024-05-14
Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. N…
- CVE-2024-34709MEDIUMCVSS 5.4EG 5.4✓ Fixed in 10.11.02024-05-14
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets dest…
- CVE-2024-36128HIGHCVSS 7.5EG 7.5✓ Fixed in 10.11.22024-06-03
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate …
- CVE-2024-39701MEDIUMCVSS 6.3EG 6.3✓ Fixed in 10.6.02024-07-08
Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.som…
- CVE-2024-39896HIGHCVSS 7.5EG 7.5✓ Fixed in 10.13.02024-07-08
Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible be…
- CVE-2024-45596HIGHCVSS 7.4EG 7.4✓ Fixed in 11.1.02024-09-10
Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query str…
- CVE-2024-46990MEDIUMCVSS 5.0EG 5.0✓ Fixed in 11.1.02024-09-18
Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like …
- CVE-2024-54128MEDIUMCVSS 5.7EG 5.7✓ Fixed in 11.2.22024-12-05
Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the clien…
- CVE-2024-54151HIGHCVSS 7.5EG 7.5✓ Fixed in 11.3.02024-12-09
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user …
- CVE-2024-6534MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.13.22024-08-15
Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' reque…
- CVE-2026-35408HIGHCVSS 8.7EG 8.7✓ Fixed in 11.17.02026-04-06
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a maliciou…
- CVE-2026-35409HIGHCVSS 7.7EG 7.7✓ Fixed in 11.16.02026-04-06
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used t…
- CVE-2026-35410MEDIUMCVSS 6.1EG 6.1✓ Fixed in 11.16.12026-04-06
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certai…
- CVE-2026-35411MEDIUMCVSS 4.3EG 4.3✓ Fixed in 11.16.12026-04-06
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not …
- CVE-2026-35412HIGHCVSS 7.1EG 7.1✓ Fixed in 11.16.12026-04-06
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary…
- CVE-2026-35413MEDIUMCVSS 5.3EG 5.3✓ Fixed in 11.16.12026-04-06
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However…
- CVE-2026-35441MEDIUMCVSS 6.5EG 6.5✓ Fixed in 11.17.02026-04-06
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticate…
- CVE-2026-35442HIGHCVSS 8.1EG 8.1✓ Fixed in 11.17.02026-04-06
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked …
- CVE-2026-39942HIGHCVSS 8.5EG 8.5✓ Fixed in 11.17.02026-04-09
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another…
- CVE-2026-39943MEDIUMCVSS 6.5EG 6.5✓ Fixed in 11.17.02026-04-09
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consis…
Check whether directus is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for directus CVEs against the assets you own.
Start Free Scan →