CVE-2025-64747

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.13.0

Description Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) issue exists that allows users with upload files and edit item permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution.

Recommendations Update to version 11.13.0 or later.