| CVE-2026-26185 |
unknown |
— |
— |
|
|
|
4mo ago |
Directus Vulnerable to User Enumeration via Password Reset Timing Attack |
| CVE-2026-22032 |
unknown |
— |
— |
|
|
|
5mo ago |
Directus has open redirect in SAML |
| CVE-2025-64749 |
unknown |
— |
— |
|
|
|
7mo ago |
Directus Vulnerable to Information Leakage in Existing Collections |
| CVE-2025-64748 |
unknown |
— |
— |
|
|
|
7mo ago |
Directus's conceal fields are searchable if read permissions enabled |
| CVE-2025-55746 |
unknown |
— |
— |
|
|
|
10mo ago |
Directus allows unauthenticated file upload and file modification due to lacking input sanitization |
| CVE-2024-47822 |
unknown |
— |
— |
|
|
|
1y ago |
Directus inserts access token from query string into logs |
| CVE-2025-30351 |
unknown |
— |
— |
|
|
|
1y ago |
Suspended Directus user can continue to use session token to access API |
| CVE-2025-27089 |
unknown |
— |
— |
|
|
|
1y ago |
Directus allows updates to non-allowed fields due to overlapping policies |
| CVE-2024-54151 |
unknown |
— |
— |
|
|
|
2y ago |
Directus allows unauthenticated access to WebSocket events and operations |
| CVE-2024-46990 |
unknown |
— |
— |
|
|
|
2y ago |
Directus vulnerable to SSRF Loopback IP filter bypass |
| CVE-2024-45596 |
unknown |
— |
— |
|
|
|
2y ago |
Session is cached for OpenID and OAuth2 if `redirect` is not used |
| CVE-2024-39699 |
unknown |
— |
— |
|
|
|
2y ago |
Directus Blind SSRF On File Import |
