Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Directus — Vulnerabilities & Security Advisories 57

All 57 CVE vulnerabilities found in Directus, with AI-generated Chinese analysis, references, and POCs.

Vendor: directus

CVE IDTitleCVSSSeverityPublished
CVE-2026-39943 Directus exposes sensitive fields in revision history CWE-200 6.5 Medium2026-04-09
CVE-2026-39942 Directus has a Path Traversal and Broken Access Control in File Management API CWE-284 8.5 High2026-04-09
CVE-2026-35442 Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries CWE-200 8.1 High2026-04-06
CVE-2026-35441 Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits CWE-400 6.5 Medium2026-04-06
CVE-2026-35413 Directus GraphQL Schema SDL Disclosure Setting CWE-200 5.3 Medium2026-04-06
CVE-2026-35412 Directus has a TUS Upload Authorization Bypass Allows Arbitrary File Overwrite CWE-863 7.1 High2026-04-06
CVE-2026-35411 Directus is an Open Redirect in Admin 2FA Setup Page CWE-601 4.3 Medium2026-04-06
CVE-2026-35410 Directus has an Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow CWE-184 6.1 Medium2026-04-06
CVE-2026-35409 Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import CWE-918 7.7 High2026-04-06
CVE-2026-35408 Directus is Missing Cross-Origin Opener Policy CWE-346 8.7 High2026-04-06
CVE-2026-26185 Directus Affected by User Enumeration via Password Reset Timing Attack CWE-203 5.3 Medium2026-02-12
CVE-2026-22032 Directus has open redirect in SAML CWE-601 4.3 Medium2026-01-08
CVE-2025-64749 Directus Vulnerable to Information Leakage in Existing Collections CWE-203 4.3 Medium2025-11-13
CVE-2025-64748 Directus's conceal fields are searchable if read permissions enabled CWE-201 6.5 Medium2025-11-13
CVE-2025-64747 Directus Vulnerable to Stored Cross-site Scripting CWE-20 5.5 Medium2025-11-13
CVE-2025-64746 Directus has Improper Permission Handling on Deleted Fields CWE-284 4.6 Medium2025-11-13
CVE-2025-55746 Directus allows unauthenticated file upload and file modification due to lacking input sanitization CWE-73 9.3 Critical2025-08-20
CVE-2025-53889 Directus missing permission checks for manual trigger Flows CWE-287 6.5 Medium2025-07-14
CVE-2025-53887 Directus's exact version number is exposed by the OpenAPI Spec CWE-200 5.3 Medium2025-07-14
CVE-2025-53886 Directus doesn't redact tokens in Flow logs CWE-200 4.5 Medium2025-07-14
CVE-2025-53885 Directus doesn't redact sensitive user data when logging via event hooks CWE-532 4.2 Medium2025-07-14
CVE-2025-30353 Directus's webhook trigger flows can leak sensitive data CWE-200 8.6 High2025-03-26
CVE-2025-30352 Directus `search` query parameter allows enumeration of non permitted fields CWE-200 5.3 Medium2025-03-26
CVE-2025-30351 Suspended Directus user can continue to use session token to access API CWE-672 3.5 Low2025-03-26
CVE-2025-30350 Directus's S3 assets become unavailable after a burst of HEAD requests CWE-770 5.3 Medium2025-03-26
CVE-2025-30225 Directus's S3 assets become unavailable after a burst of malformed transformations CWE-770 5.3 Medium2025-03-26
CVE-2025-27089 Overlapping policies allow update to non-allowed fields in directus CWE-863 5.4 Medium2025-02-19
CVE-2025-24353 Directus privilege escalation vulnerability using Share feature CWE-269 5.0 Medium2025-01-23
CVE-2024-54151 Directus allows unauthenticated access to WebSocket events and operations CWE-200 7.5 High2024-12-09
CVE-2024-54128 Directus has an HTML Injection in Comment CWE-80 5.7 Medium2024-12-05

All 57 known CVE vulnerabilities affecting Directus with full Chinese analysis, references, and POCs where available.