CVE-2025-55746 — CVSS 9.3 (critical): Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in…
CVE-2026-35408 — CVSS 8.7 (high): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login…
CVE-2025-30353 — CVSS 8.6 (high): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0…
CVE-2026-39942 — CVSS 8.5 (high): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a…
CVE-2024-27295 — CVSS 8.2 (high): Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend…
CVE-2026-35442 — CVSS 8.1 (high): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied…
CVE-2026-35409 — CVSS 7.7 (high): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF)…
CVE-2024-54151 — CVSS 7.5 (high): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0…
CVE-2024-36128 — CVSS 7.5 (high): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to…
CVE-2024-39896 — CVSS 7.5 (high): Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local…
CVE-2024-45596 — CVSS 7.4 (high): Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last…
CVE-2026-35412 — CVSS 7.1 (high): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint…
CVE-2020-19850 — CVSS 6.5 (medium): An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.
CVE-2026-39943 — CVSS 6.5 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in…
CVE-2025-53889 — CVSS 6.5 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0…
CVE-2022-36031 — CVSS 6.5 (medium): Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an…
CVE-2026-35441 — CVSS 6.5 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql…
CVE-2025-64748 — CVSS 6.5 (medium): Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows…
CVE-2024-39895 — CVSS 6.5 (medium): Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in…
CVE-2024-39701 — CVSS 6.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin…
CVE-2026-35410 — CVSS 6.1 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in…
CVE-2023-45820 — CVSS 5.9 (medium): Directus is a real-time API and App dashboard for managing SQL database content. In affected versions any Directus installation that has…
CVE-2024-54128 — CVSS 5.7 (medium): Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent…
CVE-2023-38503 — CVSS 5.7 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0…
CVE-2025-64747 — CVSS 5.5 (medium): Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists…
CVE-2024-6533 — CVSS 5.4 (medium): Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the…
CVE-2025-27089 — CVSS 5.4 (medium): Directus is a real-time API and App dashboard for managing SQL database content. In affected versions if there are two overlapping policies…
CVE-2024-34709 — CVSS 5.4 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other…
CVE-2024-28239 — CVSS 5.4 (medium): Directus is a real-time API and App dashboard for managing SQL database content. The authentication API has a `redirect` parameter that can…
CVE-2025-53887 — CVSS 5.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the…
CVE-2026-26185 — CVSS 5.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration…
CVE-2025-30225 — CVSS 5.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in…
CVE-2025-30350 — CVSS 5.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. The `@directus/storage-driver-s3` package starting in…
CVE-2025-30352 — CVSS 5.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0-alpha.4 and prior to version…
CVE-2026-35413 — CVSS 5.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is…
CVE-2024-27296 — CVSS 5.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number…
CVE-2024-46990 — CVSS 5.0 (medium): Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the…
CVE-2024-39699 — CVSS 5.0 (medium): Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file…
CVE-2023-26492 — CVSS 5.0 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery…
CVE-2025-24353 — CVSS 5.0 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical…
CVE-2024-34708 — CVSS 4.9 (medium): Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using…
CVE-2025-64746 — CVSS 4.6 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean…
CVE-2025-53886 — CVSS 4.5 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0…
CVE-2026-35411 — CVSS 4.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open…
CVE-2023-27481 — CVSS 4.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the…
CVE-2024-6534 — CVSS 4.3 (medium): Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This…
CVE-2025-64749 — CVSS 4.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in…
CVE-2026-22032 — CVSS 4.3 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability…
CVE-2025-53885 — CVSS 4.2 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0…
CVE-2024-47822 — CVSS 4.2 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are…
CVE-2023-28443 — CVSS 4.2 (medium): Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is…
CVE-2025-30351 — CVSS 3.5 (low): Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a…
CVE-2024-28238 — CVSS 2.3 (low): Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET…