CRITICAL9.3CVE-2025-55746Directus allows unauthenticated file upload and file modification due to lacking input sanitization >= 14.1.0, < 28.0.2
HIGH7.5CVE-2024-54151Directus allows unauthenticated access to WebSocket events and operations >= 22.2.0, < 23.2.0
HIGH7.4Session is cached for OpenID and OAuth2 if `redirect` is not used
from 0, < 21.0.1
MEDIUM6.5Directus's conceal fields are searchable if read permissions enabled
from 0, < 32.0.0
MEDIUM5.4Directus allows updates to non-allowed fields due to overlapping policies
>= 22.0.0, < 23.1.0
MEDIUM5.3Directus Vulnerable to User Enumeration via Password Reset Timing Attack
from 0, < 32.2.0
MEDIUM5.0Directus vulnerable to SSRF Loopback IP filter bypass
from 0, < 21.0.0
MEDIUM5.0Directus Blind SSRF On File Import
from 0, < 17.1.0
MEDIUM4.3Directus has open redirect in SAML
from 0, < 32.1.1
MEDIUM4.3Directus Vulnerable to Information Leakage in Existing Collections
from 0, < 32.0.0
MEDIUM4.2Directus inserts access token from query string into logs
from 0, < 21.0.0
LOW3.5Suspended Directus user can continue to use session token to access API
>= 18.0.0, < 24.0.1