| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2025-53885 | Directus doesn't redact sensitive user data when logging via event hooks | directus | directus | Medium | 4.2 | 2025-07-14 23:18:58 | Deep Dive |
| CVE-2025-30353 | Directus's webhook trigger flows can leak sensitive data | directus | directus | High | 8.6 | 2025-03-26 17:26:52 | Deep Dive |
| CVE-2025-30352 | Directus `search` query parameter allows enumeration of non permitted fields | directus | directus | Medium | 5.3 | 2025-03-26 17:18:40 | Deep Dive |
| CVE-2025-30351 | Suspended Directus user can continue to use session token to access API | directus | directus | Low | 3.5 | 2025-03-26 17:13:42 | Deep Dive |
| CVE-2025-30350 | Directus's S3 assets become unavailable after a burst of HEAD requests | directus | directus | Medium | 5.3 | 2025-03-26 16:49:49 | Deep Dive |
| CVE-2025-30225 | Directus's S3 assets become unavailable after a burst of malformed transformations | directus | directus | Medium | 5.3 | 2025-03-26 16:27:15 | Deep Dive |
| CVE-2025-27089 | Overlapping policies allow update to non-allowed fields in directus | directus | directus | Medium | 5.4 | 2025-02-19 16:42:48 | Deep Dive |
| CVE-2025-24353 | Directus privilege escalation vulnerability using Share feature | directus | directus | Medium | 5.0 | 2025-01-23 17:45:33 | Deep Dive |
| CVE-2024-54151 | Directus allows unauthenticated access to WebSocket events and operations | directus | directus | High | 7.5 | 2024-12-09 20:57:28 | Deep Dive |
| CVE-2024-54128 | Directus has an HTML Injection in Comment | directus | directus | Medium | 5.7 | 2024-12-05 16:55:53 | Deep Dive |
| CVE-2024-47822 | Directus inserts access token from query string into logs | directus | directus | Medium | 4.2 | 2024-10-08 17:54:21 | Deep Dive |
| CVE-2024-46990 | SSRF Loopback IP filter bypass in directus | directus | directus | Medium | 5.0 | 2024-09-18 16:55:24 | Deep Dive |
| CVE-2024-45596 | Directus's session is cached for OpenID and OAuth2 if `redirect` is not used | directus | directus | High | 7.4 | 2024-09-10 18:43:33 | Deep Dive |
| CVE-2024-6534 | Directus 10.13.0 - Insecure object reference via PATH presets | Directus | Directus | Medium | 4.3 | 2024-08-15 03:10:47 | Deep Dive |
| CVE-2024-6533 | Directus 10.13.0 - DOM-Based cross-site scripting (XSS) via layout_options | Directus | Directus | Medium | 5.4 | 2024-08-15 03:04:08 | Deep Dive |
| CVE-2024-39896 | Directus allows SSO User Enumeration | directus | directus | High | 7.5 | 2024-07-08 17:27:56 | Deep Dive |
| CVE-2024-39895 | Directus GraphQL Field Duplication Denial of Service (DoS) | directus | directus | Medium | 6.5 | 2024-07-08 16:47:45 | Deep Dive |
| CVE-2024-39701 | Directus Incorrectly handles _in` filter | directus | directus | Medium | 6.3 | 2024-07-08 16:43:02 | Deep Dive |
| CVE-2024-39699 | Directus has a Blind SSRF On File Import | directus | directus | Medium | 5.0 | 2024-07-08 15:32:05 | Deep Dive |
| CVE-2024-36128 | Directus is soft-locked by providing a string value to random string util | directus | directus | High | 7.5 | 2024-06-03 14:59:46 | Deep Dive |