CVE-2025-64747
published 2025-11-13CVE-2025-64747: Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to…
PriorityP428medium5.5CVSS 3.1
AVNACLPRLUIRSUCLILAL
EPSS
0.21%
11.2th percentile
Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | directus | < 11.13.0 | 11.13.0 |
| directus | directus | >= 0 < 11.13.0 | 11.13.0 |
| monospace | directus | < 11.13.0 | 11.13.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Directus is Vulnerable to Stored Cross-site Scripting
ghsa·2025-11-14
CVE-2025-64747 [MEDIUM] CWE-20 Directus is Vulnerable to Stored Cross-site Scripting
Directus is Vulnerable to Stored Cross-site Scripting
### Summary
A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution.
### Details
The vulnerability arises from insufficient sanitization in the Block Editor interface when processing JSON content containing HTML elements. The attack requires two permissions:
- `upload files` - To upload malicious JavaScript files
- `edit item` - To create or modify content with the Block Editor
**Attack Vector:**
1. **JavaScript File Upload**: Attackers upload
OSV
Directus is Vulnerable to Stored Cross-site Scripting
osv·2025-11-14
CVE-2025-64747 [MEDIUM] Directus is Vulnerable to Stored Cross-site Scripting
Directus is Vulnerable to Stored Cross-site Scripting
### Summary
A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution.
### Details
The vulnerability arises from insufficient sanitization in the Block Editor interface when processing JSON content containing HTML elements. The attack requires two permissions:
- `upload files` - To upload malicious JavaScript files
- `edit item` - To create or modify content with the Block Editor
**Attack Vector:**
1. **JavaScript File Upload**: Attackers upload
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-13
Published