Monospace Directus
54 CVEs affecting Monospace Directus. Latest disclosed: 2026-04-09. Critical: 2, High: 11.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-26969 | Critical | 9.8 | 2022-12-26 | In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. |
CVE-2025-55746 | Critical | 9.3 | 2025-08-20 | Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechan… |
CVE-2026-35408 | High | 8.7 | 2026-04-06 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-O… |
CVE-2025-30353 | High | 8.6 | 2025-03-26 | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.5.0, when a Flow with the "… |
CVE-2026-39942 | High | 8.5 | 2026-04-09 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled fil… |
CVE-2024-27295 | High | 8.2 | 2024-03-01 | Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to recei… |
CVE-2026-35442 | High | 8.1 | 2026-04-06 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the co… |
CVE-2026-35409 | High | 7.7 | 2026-04-06 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has b… |
CVE-2024-54151 | High | 7.5 | 2024-12-09 | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKE… |
CVE-2024-39896 | High | 7.5 | 2024-07-08 | Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can… |
CVE-2024-36128 | High | 7.5 | 2024-06-03 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.2, providing a non-numeric length value to the random string ge… |
CVE-2024-45596 | High | 7.4 | 2024-09-10 | Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via… |
CVE-2026-35412 | High | 7.1 | 2026-04-06 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows… |
CVE-2026-39943 | Medium | 6.5 | 2026-04-09 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whe… |
CVE-2026-35441 | Medium | 6.5 | 2026-04-06 | Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) d… |
CVE-2025-64748 | Medium | 6.5 | 2025-11-13 | Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to sea… |
CVE-2025-53889 | Medium | 6.5 | 2025-07-15 | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a… |
CVE-2024-39895 | Medium | 6.5 | 2024-07-08 | Directus is a real-time API and App dashboard for managing SQL database content. A denial of service (DoS) attack by field duplication in GraphQL is a type of… |
CVE-2020-19850 | Medium | 6.5 | 2023-04-04 | An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests. |
CVE-2022-36031 | Medium | 6.5 | 2022-08-19 | Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `… |