Skip to main content

Twenty CRM CVE-2026-35451

| EUVDEUVD-2026-24161 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-21 GitHub_M
5.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:17 nvd
Patch available
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:34 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:00 euvd
EUVD-2026-24161
Analysis Generated
Apr 21, 2026 - 17:00 vuln.today
CVE Published
Apr 21, 2026 - 16:22 nvd
MEDIUM 5.7

DescriptionGitHub Advisory

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.

AnalysisAI

Stored cross-site scripting in Twenty CRM versions prior to 1.20.6 allows authenticated attackers to inject malicious JavaScript URIs into file block attachments via the BlockNote editor, executing arbitrary code in the browsers of users who click the malicious link. The vulnerability bypasses protocol validation in the FileBlock component and lacks server-side sanitization of block content; exploitation requires user interaction (clicking the attachment) but persistence is stored on the server, affecting all subsequent users who view the compromised document.

Technical ContextAI

The vulnerability exists in the BlockNote editor component used by Twenty CRM for content editing. The FileBlock component fails to validate the protocol scheme of URLs stored in the url property, allowing attackers to inject javascript: URIs alongside legitimate http/https schemes. The root cause (CWE-79: Improper Neutralization of Input During Web Page Generation) stems from insufficient input validation and output encoding-the server accepts and stores unvalidated block content without sanitizing dangerous protocols, and the client-side rendering does not escape or validate the URL before passing it to user interaction handlers. The CPE cpe:2.3:a:twentyhq:twenty:*:*:*:*:*:*:*:* indicates all versions of Twenty are in scope, with the vulnerable range being versions prior to 1.20.6.

RemediationAI

Upgrade Twenty CRM to version 1.20.6 or later immediately. No workarounds are available for the underlying vulnerability; patching is the primary and only confirmed mitigation. Pending patching, organizations can implement compensating controls: (1) restrict file block creation permissions to trusted administrators only (trade-off: reduces CRM usability for non-admin users), (2) disable or hide the BlockNote editor until patched (trade-off: disables rich-text editing), or (3) implement a Content Security Policy (CSP) with script-src 'self' to prevent inline and javascript: URI execution (trade-off: may break legitimate inline scripts, requires testing). The vendor advisory at https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q and commit at https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523 document the fix.

Share

CVE-2026-35451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy