VYPR

Vendor CVEs

Monospace

All CVEs

67 total · sorted by risk
  • CVE-2018-10723CriMay 5, 2018
    risk 0.64cvss 9.8epss 0.01

    Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql.

  • CVE-2026-35408HigApr 6, 2026
    risk 0.50cvss 8.7epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the…

  • CVE-2026-39942HigApr 9, 2026
    risk 0.48cvss 8.5epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite…

  • CVE-2026-35442HigApr 6, 2026
    risk 0.46cvss 8.1epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy,…

  • CVE-2026-35409HigApr 6, 2026
    risk 0.43cvss 7.7epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private…

  • CVE-2026-35412HigApr 6, 2026
    risk 0.39cvss 7.1epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS…

  • CVE-2026-39943MedApr 9, 2026
    risk 0.35cvss 6.5epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta…

  • CVE-2026-35441MedApr 6, 2026
    risk 0.35cvss 6.5epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to…

  • CVE-2026-35410MedApr 6, 2026
    risk 0.33cvss 6.1epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing…

  • CVE-2026-35413MedApr 6, 2026
    risk 0.27cvss 5.3epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However, the server_specs_graphql resolver on…

  • CVE-2026-35411MedApr 6, 2026
    risk 0.21cvss 4.3epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication…

  • CVE-2026-26185Feb 12, 2026
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately…

  • CVE-2026-22032Jan 8, 2026
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve…

  • CVE-2025-64749Nov 13, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for…

  • CVE-2025-64748Nov 13, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful…

  • CVE-2025-64747Nov 13, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the…

  • CVE-2025-64746Nov 13, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table…

  • CVE-2025-55746Aug 20, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being…

  • CVE-2025-53889Jul 14, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload…

  • CVE-2025-53887Jul 14, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the…

  • CVE-2025-53886Jul 14, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and…

  • CVE-2025-53885Jul 14, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console"…

  • CVE-2025-30353Mar 26, 2025
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed…

  • CVE-2025-30352Mar 26, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version 11.5.0, the `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to…

  • CVE-2025-30351Mar 26, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a…

  • CVE-2025-30350Mar 26, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset…

  • CVE-2025-30225Mar 26, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in version 9.22.0 and prior to version 12.0.1, corresponding to Directus starting in version 9.22.0 and prior to 11.5.0, is vulnerable to asset…

  • CVE-2025-27089Feb 19, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply…

  • CVE-2025-24353Jan 23, 2025
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be…

  • CVE-2024-54151Dec 9, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported…

  • CVE-2024-54128Dec 5, 2024
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making…

  • CVE-2024-47822Oct 8, 2024
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in `req.query` is not redacted when the `LOG_STYLE` is set to…

  • CVE-2024-46990Sep 18, 2024
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This…

  • CVE-2024-45596Sep 10, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that…

  • CVE-2024-6534Aug 15, 2024
    risk 0.00cvss epss 0.00

    Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When…

  • CVE-2024-6533Aug 15, 2024
    risk 0.00cvss epss 0.00

    Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element.…

  • CVE-2024-39896Jul 8, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in…

  • CVE-2024-39895Jul 8, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple…

  • CVE-2024-39701Jul 8, 2024
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.some_field}} would evaluate to true…

  • CVE-2024-39699Jul 8, 2024
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass…

  • CVE-2024-36128Jun 3, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This…

  • CVE-2024-34709May 13, 2024
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if…

  • CVE-2024-34708May 13, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. Normally, these redacted fields will…

  • CVE-2024-28238Mar 12, 2024
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser…

  • CVE-2024-28239Mar 12, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There's a redirect that is done after…

  • CVE-2024-27296Mar 1, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can…

  • CVE-2024-27295Mar 1, 2024
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with…

  • CVE-2023-45820Oct 19, 2023
    risk 0.00cvss epss 0.01

    Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. A malicious user could leverage this bug to crash…

  • CVE-2023-38503Jul 25, 2023
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in…

  • CVE-2020-19850Apr 4, 2023
    risk 0.00cvss epss 0.01

    An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.

Page 1 of 2