Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Directus — Vulnerabilities & Security Advisories 57

Browse all 57 CVE security advisories affecting Directus. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Directus functions as an open-source data platform, enabling developers to build custom APIs and manage content via a flexible headless CMS architecture. Its extensive feature set, including real-time data synchronization and role-based access control, makes it a popular choice for enterprise applications requiring rapid backend deployment. However, this complexity has historically introduced significant security risks, with 57 Common Vulnerabilities and Exposures (CVEs) currently recorded. These incidents predominantly involve remote code execution, cross-site scripting, and privilege escalation flaws, often stemming from improper input validation or misconfigured authentication mechanisms. While the project maintains an active security response team, the high volume of past vulnerabilities highlights the challenges inherent in maintaining a rapidly evolving codebase. Users must prioritize regular patching and strict configuration audits to mitigate exposure to these known exploitation vectors.

Found 57 results / 57Clear Filters
Top products by Directus: directus
CVE IDTitleCVSSSeverityPublished
CVE-2024-47822 Directus inserts access token from query string into logs — directusCWE-532 4.2 Medium2024-10-08
CVE-2024-46990 SSRF Loopback IP filter bypass in directus — directusCWE-284 5.0 Medium2024-09-18
CVE-2024-45596 Directus's session is cached for OpenID and OAuth2 if `redirect` is not used — directusCWE-524 7.4 High2024-09-10
CVE-2024-6534 Directus 10.13.0 - Insecure object reference via PATH presets — DirectusCWE-639 4.3 Medium2024-08-15
CVE-2024-6533 Directus 10.13.0 - DOM-Based cross-site scripting (XSS) via layout_options — DirectusCWE-79 5.4 Medium2024-08-15
CVE-2024-39896 Directus allows SSO User Enumeration — directusCWE-200 7.5 High2024-07-08
CVE-2024-39895 Directus GraphQL Field Duplication Denial of Service (DoS) — directusCWE-400 6.5 Medium2024-07-08
CVE-2024-39701 Directus Incorrectly handles _in` filter — directusCWE-284 6.3 Medium2024-07-08
CVE-2024-39699 Directus has a Blind SSRF On File Import — directusCWE-918 5.0 Medium2024-07-08
CVE-2024-36128 Directus is soft-locked by providing a string value to random string util — directusCWE-754 7.5 High2024-06-03
CVE-2024-34709 Directus Lacks Session Tokens Invalidation — directusCWE-613 5.4 Medium2024-05-13
CVE-2024-34708 Directus allows redacted data extraction on the API through "alias" — directusCWE-200 4.9 Medium2024-05-13
CVE-2024-28238 Session Token in URL in directus — directusCWE-200 2.3 Low2024-03-12
CVE-2024-28239 URL Redirection to Untrusted Site in OAuth2/OpenID in directus — directusCWE-601 5.4 Medium2024-03-12
CVE-2024-27296 Directus version number disclosure — directusCWE-200 5.3 Medium2024-03-01
CVE-2024-27295 Directus MySQL accent insensitive email matching — directusCWE-706 8.2 High2024-03-01
CVE-2023-45820 Directus crashes on invalid WebSocket message — directusCWE-755 5.9 Medium2023-10-19
CVE-2023-38503 Directus has Incorrect Permission Checking for GraphQL Subscriptions — directusCWE-200 5.7 Medium2023-07-25
CVE-2023-28443 directus vulnerable to Insertion of Sensitive Information into Log File — directusCWE-532 4.2 Medium2023-03-23
CVE-2023-27481 Extract password hashes through export querying in directus — directusCWE-200 4.3 Medium2023-03-07
CVE-2023-27474 HTML Injection in Password Reset email to custom Reset URL in directus — directusCWE-79 8.0 High2023-03-06
CVE-2023-26492 Directus vulnerable to Server-Side Request Forgery On File Import — directusCWE-918 5.0 Medium2023-03-03
CVE-2022-36031 Unhandled exception on illegal filename_disk value — directusCWE-755 6.5 Medium2022-08-19
CVE-2022-23080 directus - SSRF which leads to internal port scan — directusCWE-918 5.0 -2022-06-22
CVE-2022-24814 Cross-site Scripting in Directus — directusCWE-79 8.8 High2022-04-04
CVE-2022-22117 Directus - Stored Cross-Site Scripting (XSS) in Profile Avatar Image — directusCWE-79 5.4 Medium2022-01-10
CVE-2022-22116 Directus - Stored Cross-Site Scripting (XSS) via SVG File Upload — directusCWE-79 5.4 Medium2022-01-10

This page lists every published CVE security advisory associated with Directus. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.