{"id":"CVE-2022-22116","details":"In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victim’s browser when they open the image URL.","modified":"2026-04-10T04:44:19.399237Z","published":"2022-01-10T16:15:10.057Z","references":[{"type":"FIX","url":"https://github.com/directus/directus/commit/ec86d5412d45136915d9b622b4a890dd26932b10"},{"type":"EVIDENCE","url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22116"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/directus/directus","events":[{"introduced":"ba72d2cfd040f7f0db282ccac006f36df6f05058"},{"last_affected":"4991ba858bdde8bdf03aee475d77a218da6e46ab"},{"introduced":"0"},{"last_affected":"c95add08ef1386cab6e54546f03d541d889148ed"},{"fixed":"ec86d5412d45136915d9b622b4a890dd26932b10"}],"database_specific":{"versions":[{"introduced":"9.0.1"},{"last_affected":"9.4.1"},{"introduced":"0"},{"last_affected":"9.0.0-NA"}]}}],"versions":["v9.0.0","v9.0.0-alpha.10","v9.0.0-alpha.14","v9.0.0-alpha.15","v9.0.0-alpha.16","v9.0.0-alpha.17","v9.0.0-alpha.18","v9.0.0-alpha.20","v9.0.0-alpha.21","v9.0.0-alpha.22","v9.0.0-alpha.23","v9.0.0-alpha.24","v9.0.0-alpha.25","v9.0.0-alpha.26","v9.0.0-alpha.27","v9.0.0-alpha.31","v9.0.0-alpha.32","v9.0.0-alpha.33","v9.0.0-alpha.34","v9.0.0-alpha.36","v9.0.0-alpha.37","v9.0.0-alpha.38","v9.0.0-alpha.39","v9.0.0-alpha.4","v9.0.0-alpha.40","v9.0.0-alpha.41","v9.0.0-alpha.42","v9.0.0-alpha.5","v9.0.0-alpha.6","v9.0.0-alpha.7","v9.0.0-alpha.8","v9.0.0-alpha.9","v9.0.0-beta.0","v9.0.0-beta.1","v9.0.0-beta.10","v9.0.0-beta.11","v9.0.0-beta.12","v9.0.0-beta.13","v9.0.0-beta.14","v9.0.0-beta.2","v9.0.0-beta.3","v9.0.0-beta.4","v9.0.0-beta.5","v9.0.0-beta.7","v9.0.0-beta.8","v9.0.0-beta.9","v9.0.0-rc.0","v9.0.0-rc.1","v9.0.0-rc.10","v9.0.0-rc.100","v9.0.0-rc.101","v9.0.0-rc.11","v9.0.0-rc.12","v9.0.0-rc.13","v9.0.0-rc.14","v9.0.0-rc.15","v9.0.0-rc.17","v9.0.0-rc.18","v9.0.0-rc.19","v9.0.0-rc.2","v9.0.0-rc.20","v9.0.0-rc.21","v9.0.0-rc.22","v9.0.0-rc.23","v9.0.0-rc.24","v9.0.0-rc.25","v9.0.0-rc.26","v9.0.0-rc.27","v9.0.0-rc.28","v9.0.0-rc.29","v9.0.0-rc.3","v9.0.0-rc.30","v9.0.0-rc.31","v9.0.0-rc.32","v9.0.0-rc.33","v9.0.0-rc.34","v9.0.0-rc.35","v9.0.0-rc.36","v9.0.0-rc.37","v9.0.0-rc.38","v9.0.0-rc.39","v9.0.0-rc.4","v9.0.0-rc.40","v9.0.0-rc.41","v9.0.0-rc.42","v9.0.0-rc.43","v9.0.0-rc.44","v9.0.0-rc.45","v9.0.0-rc.46","v9.0.0-rc.47","v9.0.0-rc.48","v9.0.0-rc.49","v9.0.0-rc.5","v9.0.0-rc.50","v9.0.0-rc.51","v9.0.0-rc.52","v9.0.0-rc.53","v9.0.0-rc.54","v9.0.0-rc.55","v9.0.0-rc.56","v9.0.0-rc.57","v9.0.0-rc.58","v9.0.0-rc.59","v9.0.0-rc.6","v9.0.0-rc.60","v9.0.0-rc.61","v9.0.0-rc.62","v9.0.0-rc.63","v9.0.0-rc.64","v9.0.0-rc.65","v9.0.0-rc.66","v9.0.0-rc.67","v9.0.0-rc.68","v9.0.0-rc.69","v9.0.0-rc.7","v9.0.0-rc.70","v9.0.0-rc.71","v9.0.0-rc.72","v9.0.0-rc.73","v9.0.0-rc.74","v9.0.0-rc.75","v9.0.0-rc.76","v9.0.0-rc.77","v9.0.0-rc.78","v9.0.0-rc.79","v9.0.0-rc.8","v9.0.0-rc.80","v9.0.0-rc.81","v9.0.0-rc.82","v9.0.0-rc.83","v9.0.0-rc.84","v9.0.0-rc.85","v9.0.0-rc.86","v9.0.0-rc.87","v9.0.0-rc.88","v9.0.0-rc.89","v9.0.0-rc.9","v9.0.0-rc.90","v9.0.0-rc.91","v9.0.0-rc.92","v9.0.0-rc.93","v9.0.0-rc.94","v9.0.0-rc.95","v9.0.0-rc.96","v9.0.0-rc.97","v9.0.0-rc.98","v9.0.0-rc.99","v9.0.0-y.0","v9.0.1","v9.1.0","v9.1.1","v9.1.2","v9.2.0","v9.2.1","v9.2.2","v9.3.0","v9.4.0","v9.4.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-22116.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha10"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha11"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha12"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha13"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha14"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha15"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha16"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha17"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha18"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha19"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha20"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha21"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha22"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha23"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha24"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha25"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha26"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha27"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha31"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha32"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha33"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha34"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha35"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha36"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha37"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha38"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha39"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha40"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha41"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha42"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha7"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-alpha9"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta10"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta11"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta12"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta13"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta14"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta7"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-beta9"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc10"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc100"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc101"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc11"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc12"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc13"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc14"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc15"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc17"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc18"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc19"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc20"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc21"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc22"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc23"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc24"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc25"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc26"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc27"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc28"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc29"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc30"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc31"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc32"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc33"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc34"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc35"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc36"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc37"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc38"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc39"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc40"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc41"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc42"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc43"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc44"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc45"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc46"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc47"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc48"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc49"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc5"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc50"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc51"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc52"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc53"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc54"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc55"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc56"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc57"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc58"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc59"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc60"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc61"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc62"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc63"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc64"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc65"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc66"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc67"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc68"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc69"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc7"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc70"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc71"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc72"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc73"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc74"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc75"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc76"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc77"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc78"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc79"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc8"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc80"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc81"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc82"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc83"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc84"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc85"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc86"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc87"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc88"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc89"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc9"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc90"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc91"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc92"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc93"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc94"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc95"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc96"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc97"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc98"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0.0-rc99"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}