{"url":"http://public2.vulnerablecode.io/api/packages/548033?format=json","purl":"pkg:npm/directus@9.0.0-beta.1","type":"npm","namespace":"","name":"directus","version":"9.0.0-beta.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"9.23.3","latest_non_vulnerable_version":"11.17.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/166718?format=json","vulnerability_id":"VCID-8ch7-zwuu-zufp","summary":"In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-26969","reference_id":"","reference_type":"","scores":[{"value":"0.00909","scoring_system":"epss","scoring_elements":"0.76265","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-26969"},{"reference_url":"https://github.com/directus/directus","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/directus/directus"},{"reference_url":"https://github.com/directus/directus/pull/12022","reference_id":"12022","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-14T14:53:09Z/"}],"url":"https://github.com/directus/directus/pull/12022"},{"reference_url":"https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md","reference_id":"config-options.md","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-14T14:53:09Z/"}],"url":"https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md"},{"reference_url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS","reference_id":"CORS","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-14T14:53:09Z/"}],"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26969","reference_id":"CVE-2022-26969","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26969"},{"reference_url":"https://github.com/advisories/GHSA-g27j-74fp-xfpr","reference_id":"GHSA-g27j-74fp-xfpr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g27j-74fp-xfpr"},{"reference_url":"https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr","reference_id":"GHSA-g27j-74fp-xfpr","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822","reference_id":"SNYK-JS-DIRECTUS-2441822","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-14T14:53:09Z/"}],"url":"https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822"},{"reference_url":"https://github.com/directus/directus/releases/tag/v9.7.0","reference_id":"v9.7.0","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-14T14:53:09Z/"}],"url":"https://github.com/directus/directus/releases/tag/v9.7.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20019?format=json","purl":"pkg:npm/directus@9.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9t8b-59vc-kbea"},{"vulnerability":"VCID-b8ya-2bmn-e3h5"},{"vulnerability":"VCID-bsua-aktm-1qfd"},{"vulnerability":"VCID-eb1b-zvas-muey"},{"vulnerability":"VCID-u121-7x5t-3fcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.7.0"}],"aliases":["CVE-2022-26969","GHSA-g27j-74fp-xfpr","GMS-2022-677"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8ch7-zwuu-zufp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145589?format=json","vulnerability_id":"VCID-9t8b-59vc-kbea","summary":"Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. Accounts cannot be taken over unless the hashes can be reversed which is unlikely with current hardware. This problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator in version 9.16.0. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by ensuring that no user has `read` access to the `password` field in `directus_users`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27481","reference_id":"","reference_type":"","scores":[{"value":"0.00301","scoring_system":"epss","scoring_elements":"0.53838","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27481"},{"reference_url":"https://github.com/directus/directus","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/directus/directus"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27481","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27481"},{"reference_url":"https://github.com/directus/directus/pull/14829","reference_id":"14829","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:10Z/"}],"url":"https://github.com/directus/directus/pull/14829"},{"reference_url":"https://github.com/directus/directus/pull/15010","reference_id":"15010","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:10Z/"}],"url":"https://github.com/directus/directus/pull/15010"},{"reference_url":"https://github.com/advisories/GHSA-m5q3-8wgf-x8xf","reference_id":"GHSA-m5q3-8wgf-x8xf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m5q3-8wgf-x8xf"},{"reference_url":"https://github.com/directus/directus/security/advisories/GHSA-m5q3-8wgf-x8xf","reference_id":"GHSA-m5q3-8wgf-x8xf","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:10Z/"}],"url":"https://github.com/directus/directus/security/advisories/GHSA-m5q3-8wgf-x8xf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381015?format=json","purl":"pkg:npm/directus@9.16.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b8ya-2bmn-e3h5"},{"vulnerability":"VCID-bsua-aktm-1qfd"},{"vulnerability":"VCID-u121-7x5t-3fcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.16.0"}],"aliases":["CVE-2023-27481","GHSA-m5q3-8wgf-x8xf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9t8b-59vc-kbea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/134660?format=json","vulnerability_id":"VCID-b8ya-2bmn-e3h5","summary":"Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.23.3, the `directus_refresh_token` is not redacted properly from the log outputs and can be used to impersonate users without their permission. This issue is patched in version 9.23.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28443","reference_id":"","reference_type":"","scores":[{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19287","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28443"},{"reference_url":"https://github.com/directus/directus","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/directus/directus"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28443","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28443"},{"reference_url":"https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc","reference_id":"349536303983ccba68ecb3e4fb35315424011afc","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-21T15:28:44Z/"}],"url":"https://github.com/directus/directus/commit/349536303983ccba68ecb3e4fb35315424011afc"},{"reference_url":"https://github.com/advisories/GHSA-8vg2-wf3q-mwv7","reference_id":"GHSA-8vg2-wf3q-mwv7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8vg2-wf3q-mwv7"},{"reference_url":"https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7","reference_id":"GHSA-8vg2-wf3q-mwv7","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-21T15:28:44Z/"}],"url":"https://github.com/directus/directus/security/advisories/GHSA-8vg2-wf3q-mwv7"},{"reference_url":"https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13","reference_id":"logger.ts#L13","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-21T15:28:44Z/"}],"url":"https://github.com/directus/directus/blob/7c479c5161639aac466c763b6b958a9524201d74/api/src/logger.ts#L13"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/380863?format=json","purl":"pkg:npm/directus@9.23.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.23.3"}],"aliases":["CVE-2023-28443","GHSA-8vg2-wf3q-mwv7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b8ya-2bmn-e3h5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/135972?format=json","vulnerability_id":"VCID-bsua-aktm-1qfd","summary":"Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26492","reference_id":"","reference_type":"","scores":[{"value":"0.0023","scoring_system":"epss","scoring_elements":"0.45895","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26492"},{"reference_url":"https://github.com/directus/directus","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/directus/directus"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26492","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26492"},{"reference_url":"https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff","reference_id":"ff53d3e69a602d05342e15d9bb616884833ddbff","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:38Z/"}],"url":"https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff"},{"reference_url":"https://github.com/advisories/GHSA-j3rg-3rgm-537h","reference_id":"GHSA-j3rg-3rgm-537h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j3rg-3rgm-537h"},{"reference_url":"https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h","reference_id":"GHSA-j3rg-3rgm-537h","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:38Z/"}],"url":"https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h"},{"reference_url":"https://github.com/directus/directus/releases/tag/v9.23.0","reference_id":"v9.23.0","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:38Z/"}],"url":"https://github.com/directus/directus/releases/tag/v9.23.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32456?format=json","purl":"pkg:npm/directus@9.23.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f3pv-2cf5-3bg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.23.0"},{"url":"http://public2.vulnerablecode.io/api/packages/393033?format=json","purl":"pkg:npm/directus@9.23.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b8ya-2bmn-e3h5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.23.1"}],"aliases":["CVE-2023-26492","GHSA-j3rg-3rgm-537h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bsua-aktm-1qfd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/166999?format=json","vulnerability_id":"VCID-eb1b-zvas-muey","summary":"Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36031","reference_id":"","reference_type":"","scores":[{"value":"0.0026","scoring_system":"epss","scoring_elements":"0.49626","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36031"},{"reference_url":"https://github.com/directus/directus","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/directus/directus"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36031","reference_id":"CVE-2022-36031","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36031"},{"reference_url":"https://github.com/advisories/GHSA-77qm-wvqq-fg79","reference_id":"GHSA-77qm-wvqq-fg79","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-77qm-wvqq-fg79"},{"reference_url":"https://github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79","reference_id":"GHSA-77qm-wvqq-fg79","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:00Z/"}],"url":"https://github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26040?format=json","purl":"pkg:npm/directus@9.15.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9t8b-59vc-kbea"},{"vulnerability":"VCID-b8ya-2bmn-e3h5"},{"vulnerability":"VCID-bsua-aktm-1qfd"},{"vulnerability":"VCID-u121-7x5t-3fcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.15.0"}],"aliases":["CVE-2022-36031","GHSA-77qm-wvqq-fg79"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eb1b-zvas-muey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145868?format=json","vulnerability_id":"VCID-u121-7x5t-3fcg","summary":"Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to the servers domain but which may contain malicious code. The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. Users are advised to upgrade. Users unable to upgrade may disable the custom reset URL allow list as a workaround.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27474","reference_id":"","reference_type":"","scores":[{"value":"0.00828","scoring_system":"epss","scoring_elements":"0.74955","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27474"},{"reference_url":"https://github.com/directus/directus","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/directus/directus"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27474","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27474"},{"reference_url":"https://github.com/directus/directus/issues/17119","reference_id":"17119","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:56Z/"}],"url":"https://github.com/directus/directus/issues/17119"},{"reference_url":"https://github.com/directus/directus/pull/17120","reference_id":"17120","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:56Z/"}],"url":"https://github.com/directus/directus/pull/17120"},{"reference_url":"https://github.com/advisories/GHSA-4hmq-ggrm-qfc6","reference_id":"GHSA-4hmq-ggrm-qfc6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4hmq-ggrm-qfc6"},{"reference_url":"https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6","reference_id":"GHSA-4hmq-ggrm-qfc6","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:56Z/"}],"url":"https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32456?format=json","purl":"pkg:npm/directus@9.23.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f3pv-2cf5-3bg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.23.0"},{"url":"http://public2.vulnerablecode.io/api/packages/393033?format=json","purl":"pkg:npm/directus@9.23.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-b8ya-2bmn-e3h5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.23.1"}],"aliases":["CVE-2023-27474","GHSA-4hmq-ggrm-qfc6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u121-7x5t-3fcg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/173457?format=json","vulnerability_id":"VCID-uhj5-vc26-t3ga","summary":"Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ \"media_live_embeds\": false }` to the _Options Overrides_ option of the Rich Text HTML interface.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24814","reference_id":"","reference_type":"","scores":[{"value":"0.0043","scoring_system":"epss","scoring_elements":"0.62959","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24814"},{"reference_url":"https://github.com/directus/directus","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/directus/directus"},{"reference_url":"https://github.com/directus/directus/pull/12020","reference_id":"12020","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:54:47Z/"}],"url":"https://github.com/directus/directus/pull/12020"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24814","reference_id":"CVE-2022-24814","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24814"},{"reference_url":"https://github.com/advisories/GHSA-xmjj-3c76-5w84","reference_id":"GHSA-xmjj-3c76-5w84","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xmjj-3c76-5w84"},{"reference_url":"https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84","reference_id":"GHSA-xmjj-3c76-5w84","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:54:47Z/"}],"url":"https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84"},{"reference_url":"https://github.com/directus/directus/releases/tag/v9.7.0","reference_id":"v9.7.0","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:54:47Z/"}],"url":"https://github.com/directus/directus/releases/tag/v9.7.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20019?format=json","purl":"pkg:npm/directus@9.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9t8b-59vc-kbea"},{"vulnerability":"VCID-b8ya-2bmn-e3h5"},{"vulnerability":"VCID-bsua-aktm-1qfd"},{"vulnerability":"VCID-eb1b-zvas-muey"},{"vulnerability":"VCID-u121-7x5t-3fcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.7.0"}],"aliases":["CVE-2022-24814","GHSA-xmjj-3c76-5w84"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uhj5-vc26-t3ga"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/directus@9.0.0-beta.1"}