@directus/api

This hub aggregates every CVE we track for @directus/api, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 12 most recently published vulnerabilities affecting @directus/api.

• CVE-2026-26185Directus Affected by User Enumeration via Password Reset Timing Attack5.3Feb 12, 2026
• CVE-2026-22032Directus has open redirect in SAML4.3Jan 8, 2026
• CVE-2025-64749Directus Vulnerable to Information Leakage in Existing Collections4.3Nov 13, 2025
• CVE-2025-64748Directus's conceal fields are searchable if read permissions enabled6.5Nov 13, 2025
• CVE-2025-55746Directus allows unauthenticated file upload and file modification due to lacking input sanitization9.3Aug 20, 2025
• CVE-2025-30351Suspended Directus user can continue to use session token to access API3.5Mar 26, 2025
• CVE-2025-27089Overlapping policies allow update to non-allowed fields in directus5.4Feb 19, 2025
• CVE-2024-54151Directus allows unauthenticated access to WebSocket events and operations7.5Dec 9, 2024
• CVE-2024-47822Directus inserts access token from query string into logs4.2Oct 8, 2024
• CVE-2024-46990SSRF Loopback IP filter bypass in directus5.0Sep 18, 2024
• CVE-2024-45596Directus's session is cached for OpenID and OAuth2 if `redirect` is not used7.4Sep 10, 2024
• CVE-2024-39699Directus has a Blind SSRF On File Import5.0Jul 8, 2024