HIGH🇬🇧 English

CVE-2026-35409

CVSS 7.7v3.1pub. 2026-04-06upd. 2026-04-20

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
  • Monospace Directus

    APP
    Monospace
    < 11.16.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
SSRF
CWE
Referencje

Powiązane podatności

CVE-2025-55746CRITICAL9.3PL ✓ten sam produkt

Directus: nieautoryzowana modyfikacja i upload plików z dowolną zawartością

CVE-2022-26969CRITICAL9.8ten sam produkt

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

CVE-2026-39942HIGH8.5ten sam produkt

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /...

CVE-2026-35408HIGH8.7ten sam produkt

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's ...

CVE-2026-35412HIGH7.1ten sam produkt

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' T...

CVE-2026-35409 — HIGH 7.7 | CVEbaza.pl