Search for packages
| purl | pkg:npm/directus@11.13.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-7zt3-dcnm-hqfb | Directus has Improper Permission Handling on Deleted Fields Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later, the system automatically re-applies the old permissions, which can lead to unauthorized access. |
CVE-2025-64746
GHSA-9x5g-62gj-wqf2 |
| VCID-jjth-fmsp-rfcj | Directus is Vulnerable to Stored Cross-site Scripting A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. |
CVE-2025-64747
GHSA-vv2v-pw69-8crf |
| VCID-na3v-me78-aqcg | Directus Vulnerable to Information Leakage in Existing Collections An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. |
CVE-2025-64749
GHSA-cph6-524f-3hgr |
| VCID-nvha-b5tb-dqdt | Directus's conceal fields are searchable if read permissions enabled A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. |
CVE-2025-64748
GHSA-8jpw-gpr4-8cmh |