Twenty

2 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-27023 MEDIUM This Month

Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP redirect targets, enabling access to private IP addresses through attacker-controlled intermediaries. An attacker with control over webhook endpoints or image URLs can leverage this vulnerability to reach restricted internal resources that would normally be blocked.

SSRF Twenty
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-26720 CRITICAL POC Act Now

Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CRM platform.

RCE Code Injection Twenty
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-27023
EPSS 0% CVSS 5.0
MEDIUM This Month

Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP redirect targets, enabling access to private IP addresses through attacker-controlled intermediaries. An attacker with control over webhook endpoints or image URLs can leverage this vulnerability to reach restricted internal resources that would normally be blocked.

SSRF Twenty
NVD GitHub
CVE-2026-26720
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CRM platform.

RCE Code Injection Twenty
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy