✅ Check your installed version
All known vulnerabilities
CRITICAL9.3CVE-2025-55746Directus allows unauthenticated file upload and file modification due to lacking input sanitization >= 14.1.0, < 28.0.2
HIGH7.5CVE-2024-54151Directus allows unauthenticated access to WebSocket events and operations >= 22.2.0, < 23.2.0
HIGH7.4CVE-2024-45596Session is cached for OpenID and OAuth2 if `redirect` is not used from 0, < 21.0.1
MEDIUM6.5CVE-2025-64748Directus's conceal fields are searchable if read permissions enabled from 0, < 32.0.0
MEDIUM5.4CVE-2025-27089Directus allows updates to non-allowed fields due to overlapping policies >= 22.0.0, < 23.1.0
MEDIUM5.3CVE-2026-26185Directus Vulnerable to User Enumeration via Password Reset Timing Attack from 0, < 32.2.0
MEDIUM5.0CVE-2024-46990Directus vulnerable to SSRF Loopback IP filter bypass from 0, < 21.0.0
from 0, < 17.1.0
from 0, < 32.1.1
MEDIUM4.3CVE-2025-64749Directus Vulnerable to Information Leakage in Existing Collections from 0, < 32.0.0
MEDIUM4.2CVE-2024-47822Directus inserts access token from query string into logs from 0, < 21.0.0
LOW3.5CVE-2025-30351Suspended Directus user can continue to use session token to access API >= 18.0.0, < 24.0.1