Directus is a live Api and application dashboard. Used to manage Sql database content, Directus suffers from a cross-site scripting vulnerability that allows unlimited uploads of .html files in the media upload feature, which leads to a cross-site scripting vulnerability. A low-privilege attacker could exploit the vulnerability to upload a crafted HTML file as a configuration file, and when an administrator or other user opens it, the XSS payload is triggered.