{"data":{"id":"920f3e52-ed19-45e8-b4d2-e2b1be825d2d","title":"GHSA-mvv8-v4jj-g47j: Directus: Sensitive fields exposed in revision history","summary":"Directus, a content management system, failed to properly sanitize sensitive data (like user tokens, two-factor authentication secrets, and API keys) before storing them in revision history records. This meant that anyone with access to the revision database table could read these secrets in plaintext, potentially allowing account takeover or unauthorized access to third-party services.","solution":"N/A -- no mitigation discussed in source.","labels":["security","privacy"],"sourceUrl":"https://github.com/advisories/GHSA-mvv8-v4jj-g47j","publishedAt":"2026-04-04T06:12:07.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["pii_leakage","data_extraction"],"issueType":"vulnerability","affectedPackages":["directus@< 11.17.0 (fixed: 11.17.0)"],"affectedVendors":["OpenAI","Anthropic","Google"],"affectedVendorsRaw":["Directus","OpenAI","Anthropic","Google"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-04T06:12:07.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}