VulnerableCode Package Details - pkg:npm/%40directus/api@9.26.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/%40directus/api@9.26.0

Essentials
History (8)

purl	pkg:npm/%40directus/api@9.26.0

Next non-vulnerable version	32.2.0
Latest non-vulnerable version	32.2.0
Risk

Vulnerabilities affecting this package (8)

Vulnerability	Summary	Fixed by
VCID-anfb-6kfn-a7h7 Aliases: CVE-2026-26185 GHSA-jr94-gj3h-c8rf	Directus Vulnerable to User Enumeration via Password Reset Timing Attack A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration.	32.2.0 Affected by 0 other vulnerabilities.
VCID-f5p9-649h-hkhs Aliases: CVE-2024-47822 GHSA-vw58-ph65-6rxp		21.0.0 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hed8-anm5-ukc9 Aliases: CVE-2026-22032 GHSA-3573-4c68-g8cc	Directus has open redirect in SAML An open redirect vulnerability exists in the Directus SAML authentication callback endpoint. The `RelayState` parameter is used in redirects without proper validation against an allowlist of permitted domains.	32.1.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-msb5-197k-a3er Aliases: CVE-2024-46990 GHSA-68g8-c275-xf2m		21.0.0 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 22.1.1 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-na3v-me78-aqcg Aliases: CVE-2025-64749 GHSA-cph6-524f-3hgr	Directus Vulnerable to Information Leakage in Existing Collections An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections.	32.0.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-nvha-b5tb-dqdt Aliases: CVE-2025-64748 GHSA-8jpw-gpr4-8cmh	Directus's conceal fields are searchable if read permissions enabled A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data.	32.0.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-x8uk-jaz5-efd9 Aliases: CVE-2024-39699 GHSA-8p72-rcq4-h6pw		17.1.0 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xt9c-32g5-mqes Aliases: CVE-2024-45596 GHSA-cff8-x7jv-4fm8		21.0.1 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 22.2.0 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T09:36:04.372976+00:00	GitLab Importer	Affected by	VCID-anfb-6kfn-a7h7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2026-26185.yml	38.6.0
2026-06-01T09:21:14.831601+00:00	GitLab Importer	Affected by	VCID-hed8-anm5-ukc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2026-22032.yml	38.6.0
2026-06-01T09:09:32.983473+00:00	GitLab Importer	Affected by	VCID-na3v-me78-aqcg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2025-64749.yml	38.6.0
2026-06-01T09:09:19.826585+00:00	GitLab Importer	Affected by	VCID-nvha-b5tb-dqdt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2025-64748.yml	38.6.0
2026-06-01T08:38:45.974404+00:00	GitLab Importer	Affected by	VCID-f5p9-649h-hkhs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2024-47822.yml	38.6.0
2026-06-01T08:15:59.027017+00:00	GitLab Importer	Affected by	VCID-msb5-197k-a3er	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2024-46990.yml	38.6.0
2026-06-01T08:14:33.963695+00:00	GitLab Importer	Affected by	VCID-xt9c-32g5-mqes	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2024-45596.yml	38.6.0
2026-06-01T08:09:35.229106+00:00	GitLab Importer	Affected by	VCID-x8uk-jaz5-efd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@directus/api/CVE-2024-39699.yml	38.6.0