close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: Stored XSS in Directus

CVE-2022-24814 is a stored XSS vulnerability that can lead to account compromise in the admin application of Directus. 

Directus vulnerability | Synopsys


Synopsys Cybersecurity Research Center (CyRC) research has identified a stored cross-site scripting (XSS) vulnerability in Directus, a popular open source headless content management system (CMS) built in JavaScript. Directus App is a web-based admin application that allows users to view and manage content and collections.

The issue found in the Directus App is

  • CVE-2022-24814: Stored XSS in file upload of Directus

Note: A similar issue was previously reported in CVE-2022-22116 and CVE-2022-22117; however, the mitigation implemented for these issues in Directus 9.4.2 is not effective and can be bypassed.

Affected software

  • Directus v9.6.0 and earlier


An authenticated user with access to Directus can abuse the file upload functionality to create a stored XSS attack that is automatically executed when other users view certain collections or files within Directus. In a worst-case scenario, this could lead to the compromise of an admin account and give the attacker full access to all data and settings within Directus.

CVSS 3.1 base score: 5.4 (Medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C


Upgrade to Directus v9.7.0 or later. See release notes for latest version available (

Discovery credit

As the researcher who discovered the vulnerability, I would like to commend the Directus team for their responsiveness and for addressing this vulnerability in a timely matter.


  • January 28, 2022: Initial disclosure
  • March 7, 2022: Directus security team confirms the vulnerability and their intent to patch it
  • March 18, 2022: Directus v9.7.0 is released with a fix for CVE-2022-24814
  • April 11, 2022: Advisory published by Synopsys
Subscribe to the blog for the latest AppSec news

Subscribe today

David Johansson

Posted by

David Johansson

David Johansson

David Johansson is a principal consultant at Synopsys. He has fifteen years of experience in software security and has worked as a consultant for several leading IT security companies. David's expertise is in software development and architecture, web security testing, and training developers and testers in security.

More from Security news and research