cbcvebase.

Monospace Directus vulnerabilities

54 known vulnerabilities affecting monospace/directus.

Total CVEs
54
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH11MEDIUM40LOW1

Vulnerabilities

Page 1 of 3
CVE-2026-35412P3HIGHCVSS 8.1fixed in 11.16.12026-04-06
CVE-2026-35412 [HIGH] CWE-863 CVE-2026-35412: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the use
nvd
CVE-2026-39942P3HIGHCVSS 8.8fixed in 11.17.02026-04-09
CVE-2026-39942 [HIGH] CWE-284 CVE-2026-39942: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, t Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by
nvd
CVE-2026-35442P3HIGHCVSS 8.1fixed in 11.17.02026-04-06
CVE-2026-35442 [HIGH] CWE-200 CVE-2026-35442: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, a Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can ex
nvd
CVE-2026-35408P3CRITICALCVSS 9.3fixed in 11.17.02026-04-06
CVE-2026-35408 [CRITICAL] CWE-346 CVE-2026-35408: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the wind
nvd
CVE-2025-55746P3HIGHCVSS 7.5≥ 10.8.0, < 11.9.32025-08-20
CVE-2025-55746 [HIGH] CWE-73 CVE-2025-55746: Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to befo Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with
nvd
CVE-2026-35409P3HIGHCVSS 7.7fixed in 11.16.02026-04-06
CVE-2026-35409 [HIGH] CWE-918 CVE-2026-35409: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This
nvd
CVE-2024-54151P3HIGHCVSS 7.5≥ 11.0.0, < 11.3.02024-12-09
CVE-2024-54151 [HIGH] CWE-200 CVE-2024-54151: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. This impacts any D
nvd
CVE-2024-27295P3HIGHCVSS 8.2fixed in 10.8.32024-03-01
CVE-2024-27295 [HIGH] CWE-706 CVE-2024-27295: Directus is a real-time API and App dashboard for managing SQL database content. The password reset Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact th
nvd
CVE-2024-39701P3HIGHCVSS 7.7≥ 9.23.0, < 10.6.02024-07-08
CVE-2024-39701 [HIGH] CWE-284 CVE-2024-39701: Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"_in": $CURRENT_USER.some_field}} would evaluate to true allowing the request to pass. This results in Broken Access Control because the ru
nvd
CVE-2023-26492P3HIGHCVSS 7.5fixed in 9.23.02023-03-03
CVE-2023-26492 [HIGH] CWE-918 CVE-2023-26492: Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnera Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perfor
nvd
CVE-2025-30353P3HIGHCVSS 7.5≥ 9.12.0, < 11.5.02025-03-26
CVE-2025-30353 [HIGH] CWE-200 CVE-2025-30353: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes envir
nvd
CVE-2022-26969P3CRITICALCVSS 9.8fixed in 9.7.02022-12-26
CVE-2022-26969 [CRITICAL] CWE-942 CVE-2022-26969: In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
nvd
CVE-2026-39943P3MEDIUMCVSS 6.5fixed in 11.17.02026-04-09
CVE-2026-39943 [MEDIUM] CWE-200 CVE-2026-39943: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authe
nvd
CVE-2024-36128P3HIGHCVSS 7.5fixed in 10.11.22024-06-03
CVE-2024-36128 [HIGH] CWE-754 CVE-2024-36128: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, p Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be
nvd
CVE-2024-45596P3MEDIUMCVSS 6.5fixed in 10.13.3≥ 11.0.0, < 11.1.02024-09-10
CVE-2024-45596 [MEDIUM] CWE-524 CVE-2024-45596: Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, w
nvd
CVE-2025-64748P3MEDIUMCVSS 6.5fixed in 11.13.02025-11-13
CVE-2025-64748 [MEDIUM] CWE-201 CVE-2025-64748: Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration att
nvd
CVE-2025-53889P3MEDIUMCVSS 6.5≥ 9.12.0, < 11.9.02025-07-15
CVE-2025-53889 [MEDIUM] CWE-287 CVE-2025-53889: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to
nvd
CVE-2026-35441P3MEDIUMCVSS 6.5fixed in 11.17.02026-04-06
CVE-2026-35441 [MEDIUM] CWE-400 CVE-2026-35441: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, D Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, fo
nvd
CVE-2023-38503P3MEDIUMCVSS 6.5≥ 10.3.0, < 10.5.02023-07-25
CVE-2023-38503 [MEDIUM] CWE-200 CVE-2023-38503: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be re
nvd
CVE-2024-39895P3MEDIUMCVSS 6.5fixed in 10.12.02024-07-08
CVE-2024-39895 [MEDIUM] CWE-400 CVE-2024-39895: Directus is a real-time API and App dashboard for managing SQL database content. A denial of service Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant
nvd