Directus Support & Health

GHSA-22rr-f3p8-5gf8 CVSS_V3

Directus affected by VM2 sandbox escape vulnerability

Published: 2023-09-15 Fixed in: 10.6.0

GHSA-2ccr-g2rv-h677 CVSS_V3

Session Token in URL in directus

Published: 2024-03-12 Fixed in: 10.10.0

GHSA-3573-4c68-g8cc CVSS_V3

Directus has open redirect in SAML

Published: 2026-01-06 Fixed in: 11.14.0

GHSA-38hg-ww64-rrwc CVSS_V3

Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries

Published: 2026-04-04 Fixed in: 11.17.0

GHSA-393c-p46r-7c95 CVSS_V3

Directus: Path Traversal and Broken Access Control in File Management API

Published: 2026-04-04 Fixed in: 11.17.0

GHSA-3fff-gqw3-vj86 CVSS_V3

Directus has an insecure object reference via PATH presets

Published: 2024-08-27 Fixed in: 10.13.2

GHSA-3gvp-54v2-2jrp CVSS_V3

Directus API vulnerable to denial of service

Published: 2023-04-04 Fixed in: 2.2.1

GHSA-4hmq-ggrm-qfc6 CVSS_V3

directus vulnerable to HTML Injection in Password Reset email to custom Reset URL

Published: 2023-03-07 Fixed in: 9.23.0

GHSA-56p6-qw3c-fq2g CVSS_V3

Suspended Directus user can continue to use session token to access API

Published: 2025-03-26 Fixed in: 11.5.0

GHSA-5h75-pvq4-82c9 CVSS_V3

Server-Side Request Forgery in Directus

Published: 2022-06-23 Fixed in: 9.7.0

Directus