Improper Input Validation

CVE-2025-64747

Medium

5.5/10

Summary

Directus is a real-time API and App dashboard for managing SQL database content. A Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent Cross-Site Scripting (XSS) execution. Version

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-20 - Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

Advisory
Release Note
Pull request

Advisory Timeline

Published Nov 13, 2025

Improper Input Validation

CVE-2025-64747

Summary

CWE-20 - Improper Input Validation

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS