Package impact

npm / directus

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Flags	OS	Vendor	Published	Description
CVE-2026-35442	unknown	—	—				2mo ago	Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries
CVE-2026-35441	unknown	—	—				2mo ago	Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits
CVE-2026-39943	unknown	—	—				2mo ago	Directus: Sensitive fields exposed in revision history
CVE-2026-35412	unknown	—	—				2mo ago	Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite
CVE-2026-35409	unknown	—	—				2mo ago	Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
CVE-2026-35413	unknown	—	—				2mo ago	Directus: GraphQL Schema SDL Disclosure Setting
CVE-2026-35410	unknown	—	—				2mo ago	Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow
CVE-2026-35411	unknown	—	—				2mo ago	Directus: Open Redirect in Admin 2FA Setup Page
CVE-2026-39942	unknown	—	—				2mo ago	Directus: Path Traversal and Broken Access Control in File Management API
CVE-2026-35408	unknown	—	—				2mo ago	Directus: Missing Cross-Origin Opener Policy
CVE-2026-26185	unknown	—	—				4mo ago	Directus Vulnerable to User Enumeration via Password Reset Timing Attack
CVE-2026-22032	unknown	—	—				5mo ago	Directus has open redirect in SAML
CVE-2025-64747	unknown	—	—				7mo ago	Directus is Vulnerable to Stored Cross-site Scripting
CVE-2025-64746	unknown	—	—				7mo ago	Directus has Improper Permission Handling on Deleted Fields
CVE-2025-64749	unknown	—	—				7mo ago	Directus Vulnerable to Information Leakage in Existing Collections
CVE-2025-64748	unknown	—	—				7mo ago	Directus's conceal fields are searchable if read permissions enabled
CVE-2025-55746	unknown	—	—				10mo ago	Directus allows unauthenticated file upload and file modification due to lacking input sanitization
CVE-2025-53889	unknown	—	—				11mo ago	Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows
CVE-2025-53887	unknown	—	—				11mo ago	Directus' exact version number is exposed by the OpenAPI Spec
CVE-2025-53886	unknown	—	—				11mo ago	Directus tokens are not redacted in flow logs, exposing session credentials to all admin
CVE-2025-53885	unknown	—	—				11mo ago	Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged
CVE-2025-30353	unknown	—	—				1y ago	Directus's webhook trigger flows can leak sensitive data
CVE-2025-30352	unknown	—	—				1y ago	Directus `search` query parameter allows enumeration of non permitted fields
CVE-2025-30351	unknown	—	—				1y ago	Suspended Directus user can continue to use session token to access API
CVE-2025-30350	unknown	—	—				1y ago	Directus's S3 assets become unavailable after a burst of HEAD requests
CVE-2025-30225	unknown	—	—				1y ago	Directus's S3 assets become unavailable after a burst of malformed transformations
CVE-2025-27089	unknown	—	—				1y ago	Directus allows updates to non-allowed fields due to overlapping policies
CVE-2025-24353	unknown	—	—				1y ago	Directus allows privilege escalation using Share feature
CVE-2024-54151	unknown	—	—				2y ago	Directus allows unauthenticated access to WebSocket events and operations
CVE-2024-54128	unknown	—	—				2y ago	Directus has an HTML Injection in Comment
CVE-2024-46990	unknown	—	—				2y ago	Directus vulnerable to SSRF Loopback IP filter bypass
CVE-2024-45596	unknown	—	—				2y ago	Session is cached for OpenID and OAuth2 if `redirect` is not used
CVE-2024-6534	unknown	—	—				2y ago	Directus has an insecure object reference via PATH presets
CVE-2024-39896	unknown	—	—				2y ago	Directus Allows Single Sign-On User Enumeration
CVE-2024-39701	unknown	—	—				2y ago	Directus incorrectly handles `_in` filter
CVE-2024-36128	unknown	—	—				2y ago	Directus is soft-locked by providing a string value to random string util
CVE-2024-34709	unknown	—	—				2y ago	Directus Lacks Session Tokens Invalidation
CVE-2024-34708	unknown	—	—				2y ago	Directus allows redacted data extraction on the API through "alias"
CVE-2024-28239	unknown	—	—				2y ago	URL Redirection to Untrusted Site in OAuth2/OpenID in directus
CVE-2024-28238	unknown	—	—				2y ago	Session Token in URL in directus
CVE-2024-27296	unknown	—	—				2y ago	Directus version number disclosure
CVE-2024-27295	unknown	—	—				2y ago	Directus has MySQL accent insensitive email matching
CVE-2023-45820	unknown	—	—				3y ago	Directus crashes on invalid WebSocket message
CVE-2023-38503	unknown	—	—				3y ago	Incorrect Permission Checking for GraphQL Subscriptions
CVE-2020-19850	unknown	—	—				3y ago	Directus API vulnerable to denial of service
CVE-2023-28443	unknown	—	—				3y ago	directus vulnerable to Insertion of Sensitive Information into Log File
CVE-2023-27481	unknown	—	—				3y ago	Directus vulnerable to extraction of password hashes through export querying
CVE-2023-27474	unknown	—	—				3y ago	directus vulnerable to HTML Injection in Password Reset email to custom Reset URL
CVE-2023-26492	unknown	—	—				3y ago	Directus vulnerable to Server-Side Request Forgery On File Import
CVE-2022-36031	unknown	—	—				4y ago	Directus vulnerable to unhandled exception on illegal filename_disk value
CVE-2022-23080	unknown	—	—				4y ago	Server-Side Request Forgery in Directus
CVE-2022-26969	unknown	—	—				4y ago	Insecure default value for CORS configuration
CVE-2022-24814	unknown	—	—				4y ago	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in directus