GHSA-mvv8-v4jj-g47j · Severity: medium · Ecosystem: npm — Directus: Sensitive fields exposed in revision history
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.
Conclusion & alert: CVE-2026-39943 is rated Low Risk (30.6/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.04%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-04-10 | — | 0.04% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
GHSA-mvv8-v4jj-g47j · Severity: medium · Ecosystem: npm — Directus: Sensitive fields exposed in revision history
| URL | Tags |
|---|---|
| https://github.com/directus/directus/releases/tag/v11.17.0 | Product Release Notes |
| https://github.com/directus/directus/security/advisories/GHSA-mvv8-v4jj-g47j | Vendor Advisory |