Main Vulnerability Database Vulnerabilities #VU127109

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Directus - CVE-2024-54128

Published: December 5, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127109

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-54128

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Directus

Affected software:
Directus

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper neutralization of script-related html tags in the comment feature when handling comment update requests. A remote user can send a specially crafted request to disclose sensitive information.

User interaction is required to view the injected content, and the issue can enable authenticated actions in the current user's session context.

How to mitigate CVE-2024-54128

Install security update from vendor's website.

Sources

https://github.com/directus/directus/security/advisories/GHSA-r6wx-627v-gh2f

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Directus - CVE-2024-54128

Detailed vulnerability description

How to mitigate CVE-2024-54128

Sources

Please verify you're human