CVE-2022-26969
CVE-2022-26969 is a critical-severity vulnerability in Monospace Directus with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-942.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 1% (56th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-942
- Affected product: Monospace Directus
- Published:
- Last modified:
Description
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
Frequently asked questions
- What is CVE-2022-26969?
- In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
- How severe is CVE-2022-26969?
- CVE-2022-26969 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-26969 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (56th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-26969?
- CVE-2022-26969 affects Monospace Directus. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-26969?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2022-26969 published?
- CVE-2022-26969 was published on 2022-12-26 and last updated on 2026-06-17.
References
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md
- https://github.com/directus/directus/pull/12022
- https://github.com/directus/directus/releases/tag/v9.7.0
- https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822
Affected products (1)
- cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*
More vulnerabilities in Monospace Directus
- CVE-2025-55746 — Critical (CVSS 9.3): Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a…
- CVE-2026-35408 — High (CVSS 8.7): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single…
- CVE-2025-30353 — High (CVSS 8.6): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior…
- CVE-2026-39942 — High (CVSS 8.5): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH…
- CVE-2024-27295 — High (CVSS 8.2): Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the…
- CVE-2026-35442 — High (CVSS 8.1): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions…
All CVEs affecting Monospace Directus →
Other CWE-942 vulnerabilities
- CVE-2022-31736 — Critical (CVSS 9.8): A malicious website could have learned the size of a cross-origin resource that supported Range requests. This…
- CVE-2026-34449 — Critical (CVSS 9.6): SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code…
- CVE-2026-30924 — Critical (CVSS 9.6): qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that…
- CVE-2026-9739 — Critical (CVSS 9.4): Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented…
- CVE-2026-8948 — Critical (CVSS 9.1): Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird…
- CVE-2023-38125 — High (CVSS 8.8): Softing edgeAggregator Permissive Cross-domain Policy with Untrusted Domains Remote Code Execution Vulnerability. This…