directus vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-35442Highdirectus: Directus: Authenticated Users Can Extract Concealed Fields via Aggregate QueriesGHSA-6Q22-G298-GRJHHighdirectus: Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health…CVE-2026-35441Mediumdirectus: Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity LimitsCVE-2026-39943Mediumdirectus: Directus: Sensitive fields exposed in revision historyCVE-2026-35412Highdirectus: Directus: TUS Upload Authorization Bypass Allows Arbitrary File OverwriteCVE-2026-35409Highdirectus: Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File ImportCVE-2026-35413Mediumdirectus: Directus: GraphQL Schema SDL Disclosure SettingCVE-2026-35410Mediumdirectus: Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication FlowCVE-2026-35411Mediumdirectus: Directus: Open Redirect in Admin 2FA Setup PageCVE-2026-39942Highdirectus: Directus: Path Traversal and Broken Access Control in File Management APICVE-2026-35408Highdirectus: Directus: Missing Cross-Origin Opener PolicyCVE-2026-26185Mediumdirectus: Directus Vulnerable to User Enumeration via Password Reset Timing AttackCVE-2026-22032Mediumdirectus: Directus has open redirect in SAMLCVE-2025-64747Mediumdirectus: Directus is Vulnerable to Stored Cross-site ScriptingCVE-2025-64746Mediumdirectus: Directus has Improper Permission Handling on Deleted FieldsCVE-2025-64749Mediumdirectus: Directus Vulnerable to Information Leakage in Existing CollectionsCVE-2025-64748Mediumdirectus: Directus's conceal fields are searchable if read permissions enabledCVE-2025-55746Criticaldirectus: Directus allows unauthenticated file upload and file modification due to lacking input sanitizationCVE-2025-53889Mediumdirectus: Directus' insufficient permission checks can enable unauthenticated users to manually trigger FlowsCVE-2025-53887Mediumdirectus: Directus' exact version number is exposed by the OpenAPI SpecCVE-2025-53886Mediumdirectus: Directus tokens are not redacted in flow logs, exposing session credentials to all adminCVE-2025-53885Mediumdirectus: Directus is vulnerable to sensitive data exposure as user data is not being redacted when loggedCVE-2025-30353Highdirectus: Directus's webhook trigger flows can leak sensitive dataCVE-2025-30352Mediumdirectus: Directus `search` query parameter allows enumeration of non permitted fieldsCVE-2025-30351Lowdirectus: Suspended Directus user can continue to use session token to access API

Stop the waste.
Protect your environment with Kodem.