Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40directus/api@14.0.0
Typenpm
Namespace@directus
Nameapi
Version14.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version32.2.0
Latest_non_vulnerable_version32.2.0
Affected_by_vulnerabilities
0
url VCID-4pjr-vr8z-hfg9
vulnerability_id VCID-4pjr-vr8z-hfg9
summary Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in `req.query` is not redacted when the `LOG_STYLE` is set to `raw`. If these logs are not properly sanitized or protected, an attacker with access to it can potentially gain administrative control, leading to unauthorized data access and manipulation. This impacts systems where the `LOG_STYLE` is set to `raw`. The `access_token` in the query could potentially be a long-lived static token. Users with impacted systems should rotate their static tokens if they were provided using query string. This vulnerability has been patched in release version 10.13.2 and subsequent releases as well. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47822
reference_id
reference_type
scores
0
value 0.00123
scoring_system epss
scoring_elements 0.31275
published_at 2026-06-14T12:55:00Z
1
value 0.00123
scoring_system epss
scoring_elements 0.31279
published_at 2026-06-12T12:55:00Z
2
value 0.00123
scoring_system epss
scoring_elements 0.31293
published_at 2026-06-13T12:55:00Z
3
value 0.00123
scoring_system epss
scoring_elements 0.31084
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47822
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47822
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-47822
3
reference_url https://github.com/directus/directus/commit/2e893f9c576d5a02506272fe2c0bcc12e6c58768
reference_id 2e893f9c576d5a02506272fe2c0bcc12e6c58768
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T18:21:09Z/
url https://github.com/directus/directus/commit/2e893f9c576d5a02506272fe2c0bcc12e6c58768
4
reference_url https://github.com/advisories/GHSA-vw58-ph65-6rxp
reference_id GHSA-vw58-ph65-6rxp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vw58-ph65-6rxp
5
reference_url https://github.com/directus/directus/security/advisories/GHSA-vw58-ph65-6rxp
reference_id GHSA-vw58-ph65-6rxp
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-08T18:21:09Z/
url https://github.com/directus/directus/security/advisories/GHSA-vw58-ph65-6rxp
fixed_packages
0
url pkg:npm/%40directus/api@21.0.0
purl pkg:npm/%40directus/api@21.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3u2p-nh39-5qag
1
vulnerability VCID-54ja-4vrx-tbgm
2
vulnerability VCID-8q3p-rrv2-jba5
3
vulnerability VCID-qfnx-egwg-ybgp
4
vulnerability VCID-rdpb-7dcd-fyby
5
vulnerability VCID-tp8r-hnf7-fkaf
6
vulnerability VCID-ufth-uy5w-87fe
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540directus/api@21.0.0
aliases CVE-2024-47822, GHSA-vw58-ph65-6rxp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4pjr-vr8z-hfg9
1
url VCID-54ja-4vrx-tbgm
vulnerability_id VCID-54ja-4vrx-tbgm
summary Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials. This vulnerability is fixed in 10.13.3 and 11.1.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45596
reference_id
reference_type
scores
0
value 0.00753
scoring_system epss
scoring_elements 0.7374
published_at 2026-06-14T12:55:00Z
1
value 0.00753
scoring_system epss
scoring_elements 0.7365
published_at 2026-06-11T12:55:00Z
2
value 0.00753
scoring_system epss
scoring_elements 0.73741
published_at 2026-06-13T12:55:00Z
3
value 0.00753
scoring_system epss
scoring_elements 0.73725
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45596
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428
3
reference_url https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459
4
reference_url https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
reference_id 4aace0bbe57232e38cd6a287ee475293e46dc91b
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T19:20:20Z/
url https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
5
reference_url https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
reference_id 769fa22797bff5a9231599883b391e013f122e52
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T19:20:20Z/
url https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45596
reference_id CVE-2024-45596
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45596
7
reference_url https://github.com/advisories/GHSA-cff8-x7jv-4fm8
reference_id GHSA-cff8-x7jv-4fm8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cff8-x7jv-4fm8
8
reference_url https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8
reference_id GHSA-cff8-x7jv-4fm8
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T19:20:20Z/
url https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8
fixed_packages
0
url pkg:npm/%40directus/api@21.0.1
purl pkg:npm/%40directus/api@21.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3u2p-nh39-5qag
1
vulnerability VCID-8q3p-rrv2-jba5
2
vulnerability VCID-qfnx-egwg-ybgp
3
vulnerability VCID-rdpb-7dcd-fyby
4
vulnerability VCID-tp8r-hnf7-fkaf
5
vulnerability VCID-ufth-uy5w-87fe
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540directus/api@21.0.1
1
url pkg:npm/%40directus/api@22.2.0
purl pkg:npm/%40directus/api@22.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3u2p-nh39-5qag
1
vulnerability VCID-3vnr-k31f-vycv
2
vulnerability VCID-8q3p-rrv2-jba5
3
vulnerability VCID-ghbw-eqaz-jqhs
4
vulnerability VCID-qfnx-egwg-ybgp
5
vulnerability VCID-rdpb-7dcd-fyby
6
vulnerability VCID-tp8r-hnf7-fkaf
7
vulnerability VCID-ufth-uy5w-87fe
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540directus/api@22.2.0
aliases CVE-2024-45596, GHSA-cff8-x7jv-4fm8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-54ja-4vrx-tbgm
2
url VCID-bhkf-vr7q-pkew
vulnerability_id VCID-bhkf-vr7q-pkew
summary Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1. However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal. This vulnerability is fixed in 10.9.3.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-39699
reference_id
reference_type
scores
0
value 0.00087
scoring_system epss
scoring_elements 0.2491
published_at 2026-06-11T12:55:00Z
1
value 0.00087
scoring_system epss
scoring_elements 0.25113
published_at 2026-06-14T12:55:00Z
2
value 0.00087
scoring_system epss
scoring_elements 0.2511
published_at 2026-06-12T12:55:00Z
3
value 0.00087
scoring_system epss
scoring_elements 0.25127
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-39699
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-39699
reference_id CVE-2024-39699
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-39699
3
reference_url https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1
reference_id d577b44231c0923aca99cac5770fd853801caee1
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-08T18:12:46Z/
url https://github.com/directus/directus/commit/d577b44231c0923aca99cac5770fd853801caee1
4
reference_url https://github.com/advisories/GHSA-8p72-rcq4-h6pw
reference_id GHSA-8p72-rcq4-h6pw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8p72-rcq4-h6pw
5
reference_url https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw
reference_id GHSA-8p72-rcq4-h6pw
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-08T18:12:46Z/
url https://github.com/directus/directus/security/advisories/GHSA-8p72-rcq4-h6pw
fixed_packages
0
url pkg:npm/%40directus/api@17.1.0
purl pkg:npm/%40directus/api@17.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4pjr-vr8z-hfg9
1
vulnerability VCID-54ja-4vrx-tbgm
2
vulnerability VCID-8q3p-rrv2-jba5
3
vulnerability VCID-qfnx-egwg-ybgp
4
vulnerability VCID-qrf3-cz1h-8kau
5
vulnerability VCID-rdpb-7dcd-fyby
6
vulnerability VCID-tp8r-hnf7-fkaf
7
vulnerability VCID-ufth-uy5w-87fe
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540directus/api@17.1.0
aliases CVE-2024-39699, GHSA-8p72-rcq4-h6pw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bhkf-vr7q-pkew
3
url VCID-qfnx-egwg-ybgp
vulnerability_id VCID-qfnx-egwg-ybgp
summary Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detected through returned records, enabling enumeration attacks on sensitive data. Version 11.13.0 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-64748
reference_id
reference_type
scores
0
value 0.00049
scoring_system epss
scoring_elements 0.15913
published_at 2026-06-14T12:55:00Z
1
value 0.00049
scoring_system epss
scoring_elements 0.15946
published_at 2026-06-13T12:55:00Z
2
value 0.00049
scoring_system epss
scoring_elements 0.15936
published_at 2026-06-12T12:55:00Z
3
value 0.00049
scoring_system epss
scoring_elements 0.158
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-64748
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204
reference_id 7737d56e096f95edfbdf861a3c08999ad31ce204
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T21:39:19Z/
url https://github.com/directus/directus/commit/7737d56e096f95edfbdf861a3c08999ad31ce204
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-64748
reference_id CVE-2025-64748
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-64748
4
reference_url https://github.com/advisories/GHSA-8jpw-gpr4-8cmh
reference_id GHSA-8jpw-gpr4-8cmh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8jpw-gpr4-8cmh
5
reference_url https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
reference_id GHSA-8jpw-gpr4-8cmh
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T21:39:19Z/
url https://github.com/directus/directus/security/advisories/GHSA-8jpw-gpr4-8cmh
fixed_packages
0
url pkg:npm/%40directus/api@32.0.0
purl pkg:npm/%40directus/api@32.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-rdpb-7dcd-fyby
1
vulnerability VCID-ufth-uy5w-87fe
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540directus/api@32.0.0
aliases CVE-2025-64748, GHSA-8jpw-gpr4-8cmh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qfnx-egwg-ybgp
4
url VCID-qrf3-cz1h-8kau
vulnerability_id VCID-qrf3-cz1h-8kau
summary Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `127.X.X.X` ip instead of just `127.0.0.1`.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-46990
reference_id
reference_type
scores
0
value 0.00237
scoring_system epss
scoring_elements 0.47191
published_at 2026-06-12T12:55:00Z
1
value 0.00237
scoring_system epss
scoring_elements 0.47188
published_at 2026-06-14T12:55:00Z
2
value 0.00237
scoring_system epss
scoring_elements 0.47206
published_at 2026-06-13T12:55:00Z
3
value 0.00237
scoring_system epss
scoring_elements 0.47051
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-46990
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
reference_id 4aace0bbe57232e38cd6a287ee475293e46dc91b
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/
url https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b
3
reference_url https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
reference_id 769fa22797bff5a9231599883b391e013f122e52
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/
url https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52
4
reference_url https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
reference_id 8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/
url https://github.com/directus/directus/commit/8cbf943b65fd4a763d09a5fdbba8996b1e7797ff
5
reference_url https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
reference_id c1f3ccc681595038d094ce110ddeee38cb38f431
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/
url https://github.com/directus/directus/commit/c1f3ccc681595038d094ce110ddeee38cb38f431
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-46990
reference_id CVE-2024-46990
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-46990
7
reference_url https://github.com/advisories/GHSA-68g8-c275-xf2m
reference_id GHSA-68g8-c275-xf2m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-68g8-c275-xf2m
8
reference_url https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
reference_id GHSA-68g8-c275-xf2m
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
1
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T18:14:11Z/
url https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
fixed_packages
0
url pkg:npm/%40directus/api@21.0.0
purl pkg:npm/%40directus/api@21.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3u2p-nh39-5qag
1
vulnerability VCID-54ja-4vrx-tbgm
2
vulnerability VCID-8q3p-rrv2-jba5
3
vulnerability VCID-qfnx-egwg-ybgp
4
vulnerability VCID-rdpb-7dcd-fyby
5
vulnerability VCID-tp8r-hnf7-fkaf
6
vulnerability VCID-ufth-uy5w-87fe
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540directus/api@21.0.0
1
url pkg:npm/%40directus/api@22.1.1
purl pkg:npm/%40directus/api@22.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3u2p-nh39-5qag
1
vulnerability VCID-3vnr-k31f-vycv
2
vulnerability VCID-54ja-4vrx-tbgm
3
vulnerability VCID-8q3p-rrv2-jba5
4
vulnerability VCID-qfnx-egwg-ybgp
5
vulnerability VCID-rdpb-7dcd-fyby
6
vulnerability VCID-tp8r-hnf7-fkaf
7
vulnerability VCID-ufth-uy5w-87fe
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540directus/api@22.1.1
aliases CVE-2024-46990, GHSA-68g8-c275-xf2m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qrf3-cz1h-8kau
5
url VCID-rdpb-7dcd-fyby
vulnerability_id VCID-rdpb-7dcd-fyby
summary Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26185
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02541
published_at 2026-06-13T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02551
published_at 2026-06-12T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02548
published_at 2026-06-11T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.03331
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26185
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://github.com/directus/directus/pull/26485
reference_id 26485
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-13T15:58:57Z/
url https://github.com/directus/directus/pull/26485
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26185
reference_id CVE-2026-26185
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-26185
4
reference_url https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a
reference_id e69aa7a5248c6e3e822cb1ac354dee295df90b2a
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-13T15:58:57Z/
url https://github.com/directus/directus/commit/e69aa7a5248c6e3e822cb1ac354dee295df90b2a
5
reference_url https://github.com/advisories/GHSA-jr94-gj3h-c8rf
reference_id GHSA-jr94-gj3h-c8rf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jr94-gj3h-c8rf
6
reference_url https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
reference_id GHSA-jr94-gj3h-c8rf
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-13T15:58:57Z/
url https://github.com/directus/directus/security/advisories/GHSA-jr94-gj3h-c8rf
7
reference_url https://github.com/directus/directus/releases/tag/v11.14.1
reference_id v11.14.1
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-13T15:58:57Z/
url https://github.com/directus/directus/releases/tag/v11.14.1
fixed_packages
0
url pkg:npm/%40directus/api@32.2.0
purl pkg:npm/%40directus/api@32.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540directus/api@32.2.0
aliases CVE-2026-26185, GHSA-jr94-gj3h-c8rf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rdpb-7dcd-fyby
6
url VCID-tp8r-hnf7-fkaf
vulnerability_id VCID-tp8r-hnf7-fkaf
summary Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a user tries to access an existing collection which they are not authorized to access, and when user tries to access a non-existing collection. The two differing error messages leak the existence of collections to users which are not authorized to access these collections. Version 11.13.0 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-64749
reference_id
reference_type
scores
0
value 0.00049
scoring_system epss
scoring_elements 0.15725
published_at 2026-06-14T12:55:00Z
1
value 0.00049
scoring_system epss
scoring_elements 0.15744
published_at 2026-06-12T12:55:00Z
2
value 0.00049
scoring_system epss
scoring_elements 0.15606
published_at 2026-06-11T12:55:00Z
3
value 0.00049
scoring_system epss
scoring_elements 0.15758
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-64749
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-64749
reference_id CVE-2025-64749
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-64749
3
reference_url https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31
reference_id f99c9b89071f9d136cc9b0d0c182f2d24542bc31
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-14T17:14:48Z/
url https://github.com/directus/directus/commit/f99c9b89071f9d136cc9b0d0c182f2d24542bc31
4
reference_url https://github.com/advisories/GHSA-cph6-524f-3hgr
reference_id GHSA-cph6-524f-3hgr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cph6-524f-3hgr
5
reference_url https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr
reference_id GHSA-cph6-524f-3hgr
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-14T17:14:48Z/
url https://github.com/directus/directus/security/advisories/GHSA-cph6-524f-3hgr
fixed_packages
0
url pkg:npm/%40directus/api@32.0.0
purl pkg:npm/%40directus/api@32.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-rdpb-7dcd-fyby
1
vulnerability VCID-ufth-uy5w-87fe
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540directus/api@32.0.0
aliases CVE-2025-64749, GHSA-cph6-524f-3hgr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tp8r-hnf7-fkaf
7
url VCID-ufth-uy5w-87fe
vulnerability_id VCID-ufth-uy5w-87fe
summary Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flow validates redirect targets against allowed domains, this validation is not applied to the callback endpoint. This allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon completion. The vulnerability is present in both the success and error handling paths of the callback. This vulnerability can be exploited without authentication. Version 11.14.0 contains a patch.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22032
reference_id
reference_type
scores
0
value 0.00046
scoring_system epss
scoring_elements 0.14615
published_at 2026-06-14T12:55:00Z
1
value 0.00046
scoring_system epss
scoring_elements 0.14641
published_at 2026-06-13T12:55:00Z
2
value 0.00046
scoring_system epss
scoring_elements 0.14642
published_at 2026-06-12T12:55:00Z
3
value 0.00046
scoring_system epss
scoring_elements 0.14523
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22032
1
reference_url https://github.com/directus/directus
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/directus/directus
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22032
reference_id CVE-2026-22032
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22032
3
reference_url https://github.com/directus/directus/commit/dad9576ea9362905cc4de8028d3877caff36dc23
reference_id dad9576ea9362905cc4de8028d3877caff36dc23
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:48:13Z/
url https://github.com/directus/directus/commit/dad9576ea9362905cc4de8028d3877caff36dc23
4
reference_url https://github.com/advisories/GHSA-3573-4c68-g8cc
reference_id GHSA-3573-4c68-g8cc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3573-4c68-g8cc
5
reference_url https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc
reference_id GHSA-3573-4c68-g8cc
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:48:13Z/
url https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc
fixed_packages
0
url pkg:npm/%40directus/api@32.1.1
purl pkg:npm/%40directus/api@32.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-rdpb-7dcd-fyby
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540directus/api@32.1.1
aliases CVE-2026-22032, GHSA-3573-4c68-g8cc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ufth-uy5w-87fe
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540directus/api@14.0.0