VulnerableCode Package Details - pkg:npm/directus@11.5.1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/directus@11.5.1

Essentials
History (9)

purl	pkg:npm/directus@11.5.1

Next non-vulnerable version	11.13.0
Latest non-vulnerable version	11.17.0
Risk

Vulnerabilities affecting this package (9)

Vulnerability	Summary	Fixed by
VCID-5u8r-s8tz-guhm Aliases: CVE-2025-55746 GHSA-mv33-9f6j-pfmc		11.9.3 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-7zt3-dcnm-hqfb Aliases: CVE-2025-64746 GHSA-9x5g-62gj-wqf2	Directus has Improper Permission Handling on Deleted Fields Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later, the system automatically re-applies the old permissions, which can lead to unauthorized access.	11.13.0 Affected by 0 other vulnerabilities.
VCID-bh2g-b9dd-d3d9 Aliases: CVE-2025-53886 GHSA-f24x-rm6g-3w5v		11.9.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hpbn-rr29-2yck Aliases: CVE-2025-53885 GHSA-x3vm-88hf-gpxp		11.9.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-jjth-fmsp-rfcj Aliases: CVE-2025-64747 GHSA-vv2v-pw69-8crf	Directus is Vulnerable to Stored Cross-site Scripting A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution.	11.13.0 Affected by 0 other vulnerabilities.
VCID-na3v-me78-aqcg Aliases: CVE-2025-64749 GHSA-cph6-524f-3hgr	Directus Vulnerable to Information Leakage in Existing Collections An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections.	11.13.0 Affected by 0 other vulnerabilities.
VCID-nvha-b5tb-dqdt Aliases: CVE-2025-64748 GHSA-8jpw-gpr4-8cmh	Directus's conceal fields are searchable if read permissions enabled A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data.	11.13.0 Affected by 0 other vulnerabilities.
VCID-pwt9-krmn-7kdd Aliases: CVE-2025-53889 GHSA-7cvf-pxgp-42fc		11.9.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-wn2j-dtpz-hye1 Aliases: CVE-2025-53887 GHSA-rmjh-cf9q-pv7q		11.9.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T09:09:40.372544+00:00	GitLab Importer	Affected by	VCID-7zt3-dcnm-hqfb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-64746.yml	38.6.0
2026-06-01T09:09:36.693338+00:00	GitLab Importer	Affected by	VCID-jjth-fmsp-rfcj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-64747.yml	38.6.0
2026-06-01T09:09:30.166845+00:00	GitLab Importer	Affected by	VCID-na3v-me78-aqcg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-64749.yml	38.6.0
2026-06-01T09:09:23.971040+00:00	GitLab Importer	Affected by	VCID-nvha-b5tb-dqdt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-64748.yml	38.6.0
2026-06-01T08:49:20.808330+00:00	GitLab Importer	Affected by	VCID-5u8r-s8tz-guhm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-55746.yml	38.6.0
2026-06-01T08:45:44.933581+00:00	GitLab Importer	Affected by	VCID-wn2j-dtpz-hye1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-53887.yml	38.6.0
2026-06-01T08:45:42.704289+00:00	GitLab Importer	Affected by	VCID-pwt9-krmn-7kdd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-53889.yml	38.6.0
2026-06-01T08:45:41.136548+00:00	GitLab Importer	Affected by	VCID-bh2g-b9dd-d3d9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-53886.yml	38.6.0
2026-06-01T08:45:39.223149+00:00	GitLab Importer	Affected by	VCID-hpbn-rr29-2yck	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-53885.yml	38.6.0