Search for packages
| purl | pkg:npm/directus@11.9.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5u8r-s8tz-guhm
Aliases: CVE-2025-55746 GHSA-mv33-9f6j-pfmc |
Affected by 4 other vulnerabilities. |
|
|
VCID-7zt3-dcnm-hqfb
Aliases: CVE-2025-64746 GHSA-9x5g-62gj-wqf2 |
Directus has Improper Permission Handling on Deleted Fields Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later, the system automatically re-applies the old permissions, which can lead to unauthorized access. |
Affected by 0 other vulnerabilities. |
|
VCID-jjth-fmsp-rfcj
Aliases: CVE-2025-64747 GHSA-vv2v-pw69-8crf |
Directus is Vulnerable to Stored Cross-site Scripting A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. |
Affected by 0 other vulnerabilities. |
|
VCID-na3v-me78-aqcg
Aliases: CVE-2025-64749 GHSA-cph6-524f-3hgr |
Directus Vulnerable to Information Leakage in Existing Collections An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error messages for these two cases: 1. A user tries to access an existing collection which they are not authorized to access. 2. A user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. |
Affected by 0 other vulnerabilities. |
|
VCID-nvha-b5tb-dqdt
Aliases: CVE-2025-64748 GHSA-8jpw-gpr4-8cmh |
Directus's conceal fields are searchable if read permissions enabled A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-01T09:09:40.407565+00:00 | GitLab Importer | Affected by | VCID-7zt3-dcnm-hqfb | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-64746.yml | 38.6.0 |
| 2026-06-01T09:09:36.731309+00:00 | GitLab Importer | Affected by | VCID-jjth-fmsp-rfcj | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-64747.yml | 38.6.0 |
| 2026-06-01T09:09:30.203010+00:00 | GitLab Importer | Affected by | VCID-na3v-me78-aqcg | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-64749.yml | 38.6.0 |
| 2026-06-01T09:09:24.006437+00:00 | GitLab Importer | Affected by | VCID-nvha-b5tb-dqdt | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-64748.yml | 38.6.0 |
| 2026-06-01T08:49:20.847757+00:00 | GitLab Importer | Affected by | VCID-5u8r-s8tz-guhm | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/directus/CVE-2025-55746.yml | 38.6.0 |