Br41Nslug

#16648of 53,632
16.1Total CVSS
Vulnerabilities · 3
Medium
3
PT-2026-31649
6.5
2026-04-04
Directus · Directus · CVE-2026-39943
Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.17.0 Description Directus stores revision records in `directus revisions` when items are created or updated. The revision snapshot code did not consistently use the `prepareDelta` sanitization pipeline, allowing sensitive fields like user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys to be stored in plaintext within revision records. This could allow a user or service account with read access to `directus revisions` to retrieve sensitive information, potentially leading to account takeover or unauthorized use of third-party API keys. Recommendations Update to version 11.17.0 or later.
PT-2025-29528
5.3
2025-07-14
Directus · Directus · CVE-2025-53887
Name of the Vulnerable Software and Affected Versions: Directus versions 9.0.0 through 11.8.99 Description: Directus is a real-time API and App dashboard for managing SQL database content. The exact Directus version number is exposed by the `/server/specs/oas` endpoint without authentication in versions prior to 11.9.0. This allows a malicious attacker to identify the specific running version and search for known vulnerabilities in Directus core or its dependencies. Recommendations: Update to Directus version 11.9.0 or later.
PT-2025-12982
4.3
2025-03-26
Directus · Directus · CVE-2025-30351
**Name of the Vulnerable Software and Affected Versions** Directus versions 10.10.0 through 11.4.x **Description** The issue allows a suspended user to access the API using a token generated in session auth mode, despite their suspended status. This occurs due to a missing check in the `verifySessionJWT` function to verify that a user is still active and allowed to access the API. A suspended user can continue to use the session token obtained before suspension until it expires. **Recommendations** For versions 10.10.0 through 11.4.x, update to version 11.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the API for suspended users by implementing additional checks on user status until the patch can be applied.