Search criteria
4 vulnerabilities found for twenty by twentyhq
CVE-2026-35451 (GCVE-0-2026-35451)
Vulnerability from nvd – Published: 2026-04-21 16:22 – Updated: 2026-04-21 16:56
VLAI?
Title
Twenty: Stored XSS via BlockNote FileBlock
Summary
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35451",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T16:54:47.995335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:56:02.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "twenty",
"vendor": "twentyhq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.20.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:22:30.378Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q"
},
{
"name": "https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523"
}
],
"source": {
"advisory": "GHSA-7w89-7q26-gj7q",
"discovery": "UNKNOWN"
},
"title": "Twenty: Stored XSS via BlockNote FileBlock"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35451",
"datePublished": "2026-04-21T16:22:30.378Z",
"dateReserved": "2026-04-02T19:25:52.192Z",
"dateUpdated": "2026-04-21T16:56:02.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27023 (GCVE-0-2026-27023)
Vulnerability from nvd – Published: 2026-03-05 16:23 – Updated: 2026-03-06 16:11
VLAI?
Title
Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client
Summary
Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.
Severity ?
5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T15:50:55.976803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:11:48.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "twenty",
"vendor": "twentyhq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:23:31.020Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twentyhq/twenty/security/advisories/GHSA-wm7q-rvq3-x8q9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-wm7q-rvq3-x8q9"
},
{
"name": "https://github.com/twentyhq/twenty/releases/tag/v1.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twentyhq/twenty/releases/tag/v1.18.0"
}
],
"source": {
"advisory": "GHSA-wm7q-rvq3-x8q9",
"discovery": "UNKNOWN"
},
"title": "Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27023",
"datePublished": "2026-03-05T16:23:31.020Z",
"dateReserved": "2026-02-17T03:08:23.490Z",
"dateUpdated": "2026-03-06T16:11:48.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35451 (GCVE-0-2026-35451)
Vulnerability from cvelistv5 – Published: 2026-04-21 16:22 – Updated: 2026-04-21 16:56
VLAI?
Title
Twenty: Stored XSS via BlockNote FileBlock
Summary
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35451",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T16:54:47.995335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:56:02.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "twenty",
"vendor": "twentyhq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.20.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:22:30.378Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q"
},
{
"name": "https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523"
}
],
"source": {
"advisory": "GHSA-7w89-7q26-gj7q",
"discovery": "UNKNOWN"
},
"title": "Twenty: Stored XSS via BlockNote FileBlock"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35451",
"datePublished": "2026-04-21T16:22:30.378Z",
"dateReserved": "2026-04-02T19:25:52.192Z",
"dateUpdated": "2026-04-21T16:56:02.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27023 (GCVE-0-2026-27023)
Vulnerability from cvelistv5 – Published: 2026-03-05 16:23 – Updated: 2026-03-06 16:11
VLAI?
Title
Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client
Summary
Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.
Severity ?
5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T15:50:55.976803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:11:48.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "twenty",
"vendor": "twentyhq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:23:31.020Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twentyhq/twenty/security/advisories/GHSA-wm7q-rvq3-x8q9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-wm7q-rvq3-x8q9"
},
{
"name": "https://github.com/twentyhq/twenty/releases/tag/v1.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twentyhq/twenty/releases/tag/v1.18.0"
}
],
"source": {
"advisory": "GHSA-wm7q-rvq3-x8q9",
"discovery": "UNKNOWN"
},
"title": "Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27023",
"datePublished": "2026-03-05T16:23:31.020Z",
"dateReserved": "2026-02-17T03:08:23.490Z",
"dateUpdated": "2026-03-06T16:11:48.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}