Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed - enabling session hijacking, account takeover, and data theft.
AnalysisAI
Stored cross-site scripting in Twenty CRM versions 1.18.0 and earlier allows authenticated users to upload HTML/JavaScript files that the application then serves without security headers, enabling execution in the CRM's origin. Successful exploitation leads to session hijacking, account takeover, and theft of CRM data. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.03% (10th percentile), though SSVC rates technical impact as total.
Technical ContextAI
Twenty is an open-source CRM platform (cpe:2.3:a:twentyhq:twenty). The vulnerability resides in the file-serving endpoints /files/* and /file/:fileFolder/:id, which stream uploaded files back to clients via fileStream.pipe(res) without setting Content-Type, Content-Disposition: attachment, or X-Content-Type-Options: nosniff. Without nosniff, modern browsers MIME-sniff response bodies and will render an uploaded .html file as a document; without Content-Disposition: attachment, the browser inlines rather than downloads it. This is a classic CWE-79 (stored XSS) realized through a content-type confusion / unsafe file-serving pattern, with the attacker-controlled JavaScript executing in the Twenty CRM origin and inheriting access to session cookies, CSRF tokens, and authenticated API endpoints.
RemediationAI
No vendor-released patch version is identified in the supplied data; consult GHSA-f5h2-3qw5-3qp7 (https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7) and upgrade to the fixed Twenty release referenced there once confirmed. As compensating controls until upgrade, place the /files/* and /file/:fileFolder/:id endpoints behind a reverse proxy (nginx, Caddy, Cloudflare) that injects Content-Type: application/octet-stream or the original safe MIME type, Content-Disposition: attachment, and X-Content-Type-Options: nosniff on responses - this forces download instead of inline rendering at the cost of breaking legitimate inline image/PDF previews. Optionally restrict upload MIME types to a non-HTML allowlist and serve user uploads from a separate sandbox domain so any executed script cannot reach the CRM session origin; the trade-off is added deployment complexity and CORS configuration. Tighten file-upload permissions to trusted users only to shrink the attacker population, accepting that this does not eliminate the bug for malicious insiders.
Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CR
The CRM platform Twenty is vulnerable to stored cross site scripting via file upload in version 0.3.0. Rated high severi
Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS com
The CRM platform Twenty version 0.3.0 is vulnerable to SSRF via file upload. Rated medium severity (CVSS 5.4), this vuln
Cross-workspace data disclosure in Twenty CRM before 2.9.0 lets any authenticated user holding the AI settings flag (a w
Stored cross-site scripting in Twenty CRM versions prior to 1.20.6 allows authenticated attackers to inject malicious Ja
Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP re
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31895