Skip to main content

Twenty CRM EUVDEUVD-2026-31895

| CVE-2026-44729 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 GitHub_M
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 10:15 vuln.today

DescriptionGitHub Advisory

Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed - enabling session hijacking, account takeover, and data theft.

AnalysisAI

Stored cross-site scripting in Twenty CRM versions 1.18.0 and earlier allows authenticated users to upload HTML/JavaScript files that the application then serves without security headers, enabling execution in the CRM's origin. Successful exploitation leads to session hijacking, account takeover, and theft of CRM data. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.03% (10th percentile), though SSVC rates technical impact as total.

Technical ContextAI

Twenty is an open-source CRM platform (cpe:2.3:a:twentyhq:twenty). The vulnerability resides in the file-serving endpoints /files/* and /file/:fileFolder/:id, which stream uploaded files back to clients via fileStream.pipe(res) without setting Content-Type, Content-Disposition: attachment, or X-Content-Type-Options: nosniff. Without nosniff, modern browsers MIME-sniff response bodies and will render an uploaded .html file as a document; without Content-Disposition: attachment, the browser inlines rather than downloads it. This is a classic CWE-79 (stored XSS) realized through a content-type confusion / unsafe file-serving pattern, with the attacker-controlled JavaScript executing in the Twenty CRM origin and inheriting access to session cookies, CSRF tokens, and authenticated API endpoints.

RemediationAI

No vendor-released patch version is identified in the supplied data; consult GHSA-f5h2-3qw5-3qp7 (https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7) and upgrade to the fixed Twenty release referenced there once confirmed. As compensating controls until upgrade, place the /files/* and /file/:fileFolder/:id endpoints behind a reverse proxy (nginx, Caddy, Cloudflare) that injects Content-Type: application/octet-stream or the original safe MIME type, Content-Disposition: attachment, and X-Content-Type-Options: nosniff on responses - this forces download instead of inline rendering at the cost of breaking legitimate inline image/PDF previews. Optionally restrict upload MIME types to a non-HTML allowlist and serve user uploads from a separate sandbox domain so any executed script cannot reach the CRM session origin; the trade-off is added deployment complexity and CORS configuration. Tighten file-upload permissions to trusted users only to shrink the attacker population, accepting that this does not eliminate the bug for malicious insiders.

Share

EUVD-2026-31895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy