Directus

This hub aggregates every CVE we track for Directus, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Directus.

• CVE-2026-39943Directus exposes sensitive fields in revision history6.5Apr 9, 2026
• CVE-2026-39942Directus has a Path Traversal and Broken Access Control in File Management API8.5Apr 9, 2026
• CVE-2026-35442Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries8.1Apr 6, 2026
• CVE-2026-35441Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits6.5Apr 6, 2026
• CVE-2026-35413Directus GraphQL Schema SDL Disclosure Setting5.3Apr 6, 2026
• CVE-2026-35412Directus has a TUS Upload Authorization Bypass Allows Arbitrary File Overwrite7.1Apr 6, 2026
• CVE-2026-35411Directus is an Open Redirect in Admin 2FA Setup Page4.3Apr 6, 2026
• CVE-2026-35410Directus has an Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow6.1Apr 6, 2026
• CVE-2026-35409Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import7.7Apr 6, 2026
• CVE-2026-35408Directus is Missing Cross-Origin Opener Policy8.7Apr 6, 2026
• CVE-2026-26185Directus Affected by User Enumeration via Password Reset Timing Attack5.3Feb 12, 2026
• CVE-2026-22032Directus has open redirect in SAML4.3Jan 8, 2026
• CVE-2025-64749Directus Vulnerable to Information Leakage in Existing Collections4.3Nov 13, 2025
• CVE-2025-64748Directus's conceal fields are searchable if read permissions enabled6.5Nov 13, 2025
• CVE-2025-64747Directus Vulnerable to Stored Cross-site Scripting5.5Nov 13, 2025