Skip to main content

Twenty

8 CVEs product

Monthly

CVE-2026-55583 HIGH PATCH This Week

Cross-workspace data disclosure in Twenty CRM before 2.9.0 lets any authenticated user holding the AI settings flag (a workspace owner by default) read another tenant's AI agent chat history and trigger LLM evaluations against the victim's data on the same instance. By supplying a victim's agentId or turnId to the agentTurns query or evaluateAgentTurn mutation, an attacker retrieves raw chat text, tool calls, and tool outputs that belong to a different workspace. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Twenty
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-46624 CRITICAL Act Now

Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS commands on the database server by chaining SQL injection in the REST API groupBy endpoint with PostgreSQL's COPY TO PROGRAM functionality. The unsanitized timeZone parameter is interpolated directly into raw SQL via JavaScript template literals, and exploitation succeeds whenever the application's Postgres role holds superuser privileges. Publicly available exploit code exists per SSVC, though EPSS scoring (0.15%) suggests exploitation activity has not yet become widespread.

RCE SQLi PostgreSQL Command Injection Twenty
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-44729 HIGH This Week

Stored cross-site scripting in Twenty CRM versions 1.18.0 and earlier allows authenticated users to upload HTML/JavaScript files that the application then serves without security headers, enabling execution in the CRM's origin. Successful exploitation leads to session hijacking, account takeover, and theft of CRM data. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.03% (10th percentile), though SSVC rates technical impact as total.

XSS Twenty
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-35451 MEDIUM PATCH This Month

Stored cross-site scripting in Twenty CRM versions prior to 1.20.6 allows authenticated attackers to inject malicious JavaScript URIs into file block attachments via the BlockNote editor, executing arbitrary code in the browsers of users who click the malicious link. The vulnerability bypasses protocol validation in the FileBlock component and lacks server-side sanitization of block content; exploitation requires user interaction (clicking the attachment) but persistence is stored on the server, affecting all subsequent users who view the compromised document.

XSS Twenty
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-27023 MEDIUM This Month

Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP redirect targets, enabling access to private IP addresses through attacker-controlled intermediaries. An attacker with control over webhook endpoints or image URLs can leverage this vulnerability to reach restricted internal resources that would normally be blocked.

SSRF Twenty
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-26720 CRITICAL POC Act Now

Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CRM platform.

RCE Code Injection Twenty
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2024-28435 MEDIUM POC This Month

The CRM platform Twenty version 0.3.0 is vulnerable to SSRF via file upload. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF File Upload Twenty
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-28434 HIGH POC This Week

The CRM platform Twenty is vulnerable to stored cross site scripting via file upload in version 0.3.0. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Twenty
NVD GitHub
CVSS 3.1
7.6
EPSS
0.7%
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-workspace data disclosure in Twenty CRM before 2.9.0 lets any authenticated user holding the AI settings flag (a workspace owner by default) read another tenant's AI agent chat history and trigger LLM evaluations against the victim's data on the same instance. By supplying a victim's agentId or turnId to the agentTurns query or evaluateAgentTurn mutation, an attacker retrieves raw chat text, tool calls, and tool outputs that belong to a different workspace. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Twenty
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

Remote code execution in Twenty CRM versions 1.7.7 through 1.16.7 allows authenticated users to execute arbitrary OS commands on the database server by chaining SQL injection in the REST API groupBy endpoint with PostgreSQL's COPY TO PROGRAM functionality. The unsanitized timeZone parameter is interpolated directly into raw SQL via JavaScript template literals, and exploitation succeeds whenever the application's Postgres role holds superuser privileges. Publicly available exploit code exists per SSVC, though EPSS scoring (0.15%) suggests exploitation activity has not yet become widespread.

RCE SQLi PostgreSQL +2
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Stored cross-site scripting in Twenty CRM versions 1.18.0 and earlier allows authenticated users to upload HTML/JavaScript files that the application then serves without security headers, enabling execution in the CRM's origin. Successful exploitation leads to session hijacking, account takeover, and theft of CRM data. No public exploit identified at time of analysis, and EPSS exploitation probability is 0.03% (10th percentile), though SSVC rates technical impact as total.

XSS Twenty
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Stored cross-site scripting in Twenty CRM versions prior to 1.20.6 allows authenticated attackers to inject malicious JavaScript URIs into file block attachments via the BlockNote editor, executing arbitrary code in the browsers of users who click the malicious link. The vulnerability bypasses protocol validation in the FileBlock component and lacks server-side sanitization of block content; exploitation requires user interaction (clicking the attachment) but persistence is stored on the server, affecting all subsequent users who view the compromised document.

XSS Twenty
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM This Month

Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP redirect targets, enabling access to private IP addresses through attacker-controlled intermediaries. An attacker with control over webhook endpoints or image URLs can leverage this vulnerability to reach restricted internal resources that would normally be blocked.

SSRF Twenty
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CRM platform.

RCE Code Injection Twenty
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The CRM platform Twenty version 0.3.0 is vulnerable to SSRF via file upload. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF File Upload Twenty
NVD GitHub
EPSS 1% CVSS 7.6
HIGH POC This Week

The CRM platform Twenty is vulnerable to stored cross site scripting via file upload in version 0.3.0. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Twenty
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy