Vulnerability Database

302,032

Total vulnerabilities in the database

CVE-2025-64747

Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue.

Published: Nov 13, 2025
Updated: Nov 14, 2025
CVE: CVE-2025-64747
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CWEs:

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

No affected software listed.

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo