directus vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2025-30350Medium@directus/storage-driver-s3: Directus's S3 assets become unavailable after a burst of HEAD requestsCVE-2025-30225Medium@directus/storage-driver-s3: Directus's S3 assets become unavailable after a burst of malformed transformationsCVE-2025-27089Mediumdirectus: Directus allows updates to non-allowed fields due to overlapping policiesGHSA-9QRM-48QF-R2RWLowdirectus: Directus has a DOM-Based cross-site scripting (XSS) via layout_optionsCVE-2025-24353Mediumdirectus: Directus allows privilege escalation using Share featureCVE-2024-54151Highdirectus: Directus allows unauthenticated access to WebSocket events and operationsCVE-2024-54128Medium@directus/app: Directus has an HTML Injection in CommentCVE-2024-46990Mediumdirectus: Directus vulnerable to SSRF Loopback IP filter bypassCVE-2024-45596Highdirectus: Session is cached for OpenID and OAuth2 if `redirect` is not usedCVE-2024-6534Mediumdirectus: Directus has an insecure object reference via PATH presetsCVE-2024-39896Highdirectus: Directus Allows Single Sign-On User EnumerationCVE-2024-39701Highdirectus: Directus incorrectly handles `_in` filterCVE-2024-36128Highdirectus: Directus is soft-locked by providing a string value to random string utilCVE-2024-34709Mediumdirectus: Directus Lacks Session Tokens InvalidationCVE-2024-34708Mediumdirectus: Directus allows redacted data extraction on the API through "alias"CVE-2024-28239Mediumdirectus: URL Redirection to Untrusted Site in OAuth2/OpenID in directusCVE-2024-28238Lowdirectus: Session Token in URL in directusCVE-2024-27296Mediumdirectus: Directus version number disclosureCVE-2024-27295Highdirectus: Directus has MySQL accent insensitive email matchingCVE-2023-45820Highdirectus: Directus crashes on invalid WebSocket messageGHSA-22RR-F3P8-5GF8Highdirectus: Directus affected by VM2 sandbox escape vulnerabilityCVE-2023-38503Mediumdirectus: Incorrect Permission Checking for GraphQL SubscriptionsCVE-2020-19850Mediumdirectus: Directus API vulnerable to denial of serviceCVE-2023-28443Mediumdirectus: directus vulnerable to Insertion of Sensitive Information into Log FileCVE-2023-27481Mediumdirectus: Directus vulnerable to extraction of password hashes through export querying

Stop the waste.
Protect your environment with Kodem.