Home > Vulnerability Database > CVE-2025-64747

Mend.io Vulnerability Database

CVE-2025-64747

Good to know:

Date: November 13, 2025

Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with "upload files" and "edit item" permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. Version 11.13.0 fixes the issue.

Severity Score

5.5

Related Resources (5)

Url: https://github.com/directus/directus/commit/d23525317f0780f04aa1fe7a99171a358e43cb2e

Url: https://github.com/directus/directus

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64747

Url: https://github.com/directus/directus/security/advisories/GHSA-vv2v-pw69-8crf

Url: https://www.mend.io/vulnerability-database/CVE-2025-64747

Severity Score

5.5

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version directus - 11.13.0;https://github.com/directus/directus.git - v11.13.0

Learn More

CVSS v3.1

Base Score:	5.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64747

Good to know:

Date: November 13, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?