Monospace Directus vulnerabilities
54 known vulnerabilities affecting monospace/directus.
Total CVEs
54
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH11MEDIUM40LOW1
Vulnerabilities
Page 3 of 3
CVE-2023-28443P4MEDIUMCVSS 5.5fixed in 9.23.32023-03-24
CVE-2023-28443 [MEDIUM] CWE-284 CVE-2023-28443: Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.
nvd
CVE-2025-53886P4MEDIUMCVSS 4.5≥ 9.0.0, < 11.9.02025-07-15
CVE-2025-53886 [MEDIUM] CWE-200 CVE-2025-53886: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hi
nvd
CVE-2025-24353P4MEDIUMCVSS 4.3fixed in 11.2.02025-01-23
CVE-2025-24353 [MEDIUM] CWE-269 CVE-2025-24353: Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instances that are impacted are those that use the share feat
nvd
CVE-2025-64749P4MEDIUMCVSS 4.3fixed in 11.13.02025-11-13
CVE-2025-64749 [MEDIUM] CWE-203 CVE-2025-64749: Directus is a real-time API and App dashboard for managing SQL database content. An observable diffe
Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they a
nvd
CVE-2024-54128P4MEDIUMCVSS 4.6≥ 10.10.0, < 10.13.4≥ 11.0.0, < 11.2.22024-12-05
CVE-2024-54128 [MEDIUM] CWE-80 CVE-2024-54128: Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature
Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in
nvd
CVE-2023-27481P4MEDIUMCVSS 4.3fixed in 9.16.02023-03-07
CVE-2023-27481 [MEDIUM] CWE-200 CVE-2023-27481: Directus is a real-time API and App dashboard for managing SQL database content. In versions prior t
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes.
nvd
CVE-2025-30351P4MEDIUMCVSS 4.3≥ 10.10.0, < 11.5.02025-03-26
CVE-2025-30351 [MEDIUM] CWE-672 CVE-2025-30351: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth mode to access the API despite their status. This happens because there is a check missing in `verifySessionJWT` to verify that a user is actually still
nvd
CVE-2024-6534P4MEDIUMCVSS 4.3v10.13.02024-08-15
CVE-2024-6534 [MEDIUM] CVE-2024-6534: Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same us
Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.
nvd
CVE-2025-27089P4MEDIUMCVSS 4.3≥ 11.0.0, < 11.1.22025-02-19
CVE-2025-27089 [MEDIUM] CWE-863 CVE-2025-27089: Directus is a real-time API and App dashboard for managing SQL database content. In affected version
Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking access permissions against the item they apply for the user is allowed to update the superset of fields allowed by any
nvd
CVE-2026-35411P4MEDIUMCVSS 4.3fixed in 11.16.12026-04-06
CVE-2026-35411 [MEDIUM] CWE-601 CVE-2026-35411: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, D
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Dire
nvd
CVE-2024-47822P4MEDIUMCVSS 4.2fixed in 10.13.22024-10-08
CVE-2024-47822 [MEDIUM] CWE-532 CVE-2024-47822: Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from
Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in `req.query` is not redacted when the `LOG_STYLE` is set to `raw`. If these logs are not properly sanitized or protected, an attacker w
nvd
CVE-2024-28239P4MEDIUMCVSS 4.3fixed in 10.10.02024-03-12
CVE-2024-28239 [MEDIUM] CWE-601 CVE-2024-28239: Directus is a real-time API and App dashboard for managing SQL database content. The authentication
Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL. There's a redirect that is done after successful login via the Auth API GET request to `directus/auth/login/google?redir
nvd
CVE-2025-53885P4MEDIUMCVSS 4.2≥ 9.0.0, < 11.9.02025-07-15
CVE-2025-53885 [MEDIUM] CWE-532 CVE-2025-53885: Directus is a real-time API and App dashboard for managing SQL database content. Starting in version
Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from o
nvd
CVE-2024-28238P4LOWCVSS 2.3fixed in 10.10.02024-03-12
CVE-2024-28238 [LOW] CWE-200 CVE-2024-28238: Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /
Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sess
nvd
← Previous3 / 3