@directus/api (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package @directus/api, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2025-55746 — CVSS 9.3 (critical): Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in…
CVE-2024-54151 — CVSS 7.5 (high): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0…
CVE-2024-45596 — CVSS 7.4 (high): Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last…
CVE-2025-64748 — CVSS 6.5 (medium): Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows…
CVE-2025-27089 — CVSS 5.4 (medium): Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies…
CVE-2026-26185 — CVSS 5.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration…
CVE-2024-39699 — CVSS 5.0 (medium): Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file…
CVE-2024-46990 — CVSS 5.0 (medium): Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the…
CVE-2025-64749 — CVSS 4.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in…
CVE-2026-22032 — CVSS 4.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability…
CVE-2024-47822 — CVSS 4.2 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are…
CVE-2025-30351 — CVSS 3.5 (low): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a…