CVE-2026-35409

EPSS 0.34%
Veröffentlicht 06.04.2026 21:31:13
Zuletzt bearbeitet 20.04.2026 16:47:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Monospace ≫ Directus SwPlatformnode.js Version < 11.16.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.34%	0.252

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.7	3.1	4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-35409

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35409

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35409

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35409