CVE-2025-64747Improper Input Validation in Directus

CWE-20Improper Input ValidationCWE-79Cross-site Scripting3 documents3 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 91.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
DirectusMonospace Directus
Timeline
PublishedNov 13
Latest updateNov 14

Description

Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LExploitability: 2.1 | Impact: 3.4

Affected Packages3 packages

CVEListV5directus/directus< 11.13.0
npmdirectus/directus< 11.13.0
NVDmonospace/directus< 11.13.0

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
Directus is Vulnerable to Stored Cross-site Scripting2025-11-14
OSV
Directus is Vulnerable to Stored Cross-site Scripting2025-11-14