Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Directus — Vulnerabilities & Security Advisories 57

Browse all 57 CVE security advisories affecting Directus. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Directus functions as an open-source data platform, enabling developers to build custom APIs and manage content via a flexible headless CMS architecture. Its extensive feature set, including real-time data synchronization and role-based access control, makes it a popular choice for enterprise applications requiring rapid backend deployment. However, this complexity has historically introduced significant security risks, with 57 Common Vulnerabilities and Exposures (CVEs) currently recorded. These incidents predominantly involve remote code execution, cross-site scripting, and privilege escalation flaws, often stemming from improper input validation or misconfigured authentication mechanisms. While the project maintains an active security response team, the high volume of past vulnerabilities highlights the challenges inherent in maintaining a rapidly evolving codebase. Users must prioritize regular patching and strict configuration audits to mitigate exposure to these known exploitation vectors.

Top products by Directus: directus
CVE IDTitleCVSSSeverityPublished
CVE-2026-39943 Directus exposes sensitive fields in revision history — directusCWE-200 6.5 Medium2026-04-09
CVE-2026-39942 Directus has a Path Traversal and Broken Access Control in File Management API — directusCWE-284 8.5 High2026-04-09
CVE-2026-35442 Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries — directusCWE-200 8.1 High2026-04-06
CVE-2026-35441 Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits — directusCWE-400 6.5 Medium2026-04-06
CVE-2026-35413 Directus GraphQL Schema SDL Disclosure Setting — directusCWE-200 5.3 Medium2026-04-06
CVE-2026-35412 Directus has a TUS Upload Authorization Bypass Allows Arbitrary File Overwrite — directusCWE-863 7.1 High2026-04-06
CVE-2026-35411 Directus is an Open Redirect in Admin 2FA Setup Page — directusCWE-601 4.3 Medium2026-04-06
CVE-2026-35410 Directus has an Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow — directusCWE-184 6.1 Medium2026-04-06
CVE-2026-35409 Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import — directusCWE-918 7.7 High2026-04-06
CVE-2026-35408 Directus is Missing Cross-Origin Opener Policy — directusCWE-346 8.7 High2026-04-06
CVE-2026-26185 Directus Affected by User Enumeration via Password Reset Timing Attack — directusCWE-203 5.3 Medium2026-02-12
CVE-2026-22032 Directus has open redirect in SAML — directusCWE-601 4.3 Medium2026-01-08
CVE-2025-64749 Directus Vulnerable to Information Leakage in Existing Collections — directusCWE-203 4.3 Medium2025-11-13
CVE-2025-64748 Directus's conceal fields are searchable if read permissions enabled — directusCWE-201 6.5 Medium2025-11-13
CVE-2025-64747 Directus Vulnerable to Stored Cross-site Scripting — directusCWE-20 5.5 Medium2025-11-13
CVE-2025-64746 Directus has Improper Permission Handling on Deleted Fields — directusCWE-284 4.6 Medium2025-11-13
CVE-2025-55746 Directus allows unauthenticated file upload and file modification due to lacking input sanitization — directusCWE-73 9.3 Critical2025-08-20
CVE-2025-53889 Directus missing permission checks for manual trigger Flows — directusCWE-287 6.5 Medium2025-07-14
CVE-2025-53887 Directus's exact version number is exposed by the OpenAPI Spec — directusCWE-200 5.3 Medium2025-07-14
CVE-2025-53886 Directus doesn't redact tokens in Flow logs — directusCWE-200 4.5 Medium2025-07-14
CVE-2025-53885 Directus doesn't redact sensitive user data when logging via event hooks — directusCWE-532 4.2 Medium2025-07-14
CVE-2025-30353 Directus's webhook trigger flows can leak sensitive data — directusCWE-200 8.6 High2025-03-26
CVE-2025-30352 Directus `search` query parameter allows enumeration of non permitted fields — directusCWE-200 5.3 Medium2025-03-26
CVE-2025-30351 Suspended Directus user can continue to use session token to access API — directusCWE-672 3.5 Low2025-03-26
CVE-2025-30350 Directus's S3 assets become unavailable after a burst of HEAD requests — directusCWE-770 5.3 Medium2025-03-26
CVE-2025-30225 Directus's S3 assets become unavailable after a burst of malformed transformations — directusCWE-770 5.3 Medium2025-03-26
CVE-2025-27089 Overlapping policies allow update to non-allowed fields in directus — directusCWE-863 5.4 Medium2025-02-19
CVE-2025-24353 Directus privilege escalation vulnerability using Share feature — directusCWE-269 5.0 Medium2025-01-23
CVE-2024-54151 Directus allows unauthenticated access to WebSocket events and operations — directusCWE-200 7.5 High2024-12-09
CVE-2024-54128 Directus has an HTML Injection in Comment — directusCWE-80 5.7 Medium2024-12-05

This page lists every published CVE security advisory associated with Directus. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.