Stored Cross-Site Scripting Vulnerability in Twenty CRM
CVE-2026-35451

5.7MEDIUM

Key Information:

Vendor: Twentyhq
Status: Twenty
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-35451?

A Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component of Twenty CRM prior to version 1.20.6. The vulnerability arises from inadequate protocol validation in the FileBlock component, combined with insufficient server-side inspection of block content. This allows an attacker to inject a javascript: URI into the url property of a file block. Consequently, if a user interacts with a malicious file attachment, arbitrary JavaScript can be executed, posing significant security risks. The issue was resolved in version 1.20.6.

Affected Version(s)

twenty < 1.20.6

References

https://github.com/twentyhq/twenty/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/twentyhq/twenty/commit/8da69e0f77ea820...

x_refsource_MISC

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35451 Data

JSON

Twentyhq

What is CVE-2026-35451?

Affected Version(s)

References

CVSS V3.1

Timeline