Twenty
CVE-2026-26720
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.
Articles & Coverage 1
AnalysisAI
Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CRM platform.
Technical ContextAI
Twenty CRM v1.15.0 has a CWE-94 code injection vulnerability. Twenty is an open-source alternative to Salesforce.
RemediationAI
Update Twenty CRM.
The CRM platform Twenty is vulnerable to stored cross site scripting via file upload in version 0.3.0. Rated high severi
Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS com
The CRM platform Twenty version 0.3.0 is vulnerable to SSRF via file upload. Rated medium severity (CVSS 5.4), this vuln
Stored cross-site scripting in Twenty CRM versions 1.18.0 and earlier allows authenticated users to upload HTML/JavaScri
Cross-workspace data disclosure in Twenty CRM before 2.9.0 lets any authenticated user holding the AI settings flag (a w
Stored cross-site scripting in Twenty CRM versions prior to 1.20.6 allows authenticated attackers to inject malicious Ja
Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP re
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today