Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.
AnalysisAI
Stored cross-site scripting in Twenty CRM versions prior to 1.20.6 allows authenticated attackers to inject malicious JavaScript URIs into file block attachments via the BlockNote editor, executing arbitrary code in the browsers of users who click the malicious link. The vulnerability bypasses protocol validation in the FileBlock component and lacks server-side sanitization of block content; exploitation requires user interaction (clicking the attachment) but persistence is stored on the server, affecting all subsequent users who view the compromised document.
Technical ContextAI
The vulnerability exists in the BlockNote editor component used by Twenty CRM for content editing. The FileBlock component fails to validate the protocol scheme of URLs stored in the url property, allowing attackers to inject javascript: URIs alongside legitimate http/https schemes. The root cause (CWE-79: Improper Neutralization of Input During Web Page Generation) stems from insufficient input validation and output encoding-the server accepts and stores unvalidated block content without sanitizing dangerous protocols, and the client-side rendering does not escape or validate the URL before passing it to user interaction handlers. The CPE cpe:2.3:a:twentyhq:twenty:*:*:*:*:*:*:*:* indicates all versions of Twenty are in scope, with the vulnerable range being versions prior to 1.20.6.
RemediationAI
Upgrade Twenty CRM to version 1.20.6 or later immediately. No workarounds are available for the underlying vulnerability; patching is the primary and only confirmed mitigation. Pending patching, organizations can implement compensating controls: (1) restrict file block creation permissions to trusted administrators only (trade-off: reduces CRM usability for non-admin users), (2) disable or hide the BlockNote editor until patched (trade-off: disables rich-text editing), or (3) implement a Content Security Policy (CSP) with script-src 'self' to prevent inline and javascript: URI execution (trade-off: may break legitimate inline scripts, requires testing). The vendor advisory at https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q and commit at https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523 document the fix.
Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CR
The CRM platform Twenty is vulnerable to stored cross site scripting via file upload in version 0.3.0. Rated high severi
Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS com
The CRM platform Twenty version 0.3.0 is vulnerable to SSRF via file upload. Rated medium severity (CVSS 5.4), this vuln
Stored cross-site scripting in Twenty CRM versions 1.18.0 and earlier allows authenticated users to upload HTML/JavaScri
Cross-workspace data disclosure in Twenty CRM before 2.9.0 lets any authenticated user holding the AI settings flag (a w
Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP re
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24161