Description
An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An insecure implementation in the local.driver.ts module of Twenty CRM allows a remote attacker to inject and execute arbitrary code. The vulnerability stems from unauthenticated code evaluation exposed through this module, which is classified as Code Injection (CWE-94). An attacker who can reach the CRM instance can exploit the flaw to run any system command, compromising confidentiality, integrity, and availability of the entire server.

Affected Systems

Twenty CRM versions 1.15.0 and earlier are affected. The vulnerability exists in the local.driver.ts file and is present in all releases that have not been patched beyond version 1.15.0.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity. EPSS indicates a probability of exploitation below 1%, suggesting that, at present, exploitation attempts are unlikely but the risk remains high due to the lack of a public fix. The vulnerability is not listed in the CISA known exploited vulnerabilities catalog as of this assessment. Exploitation requires sending a crafted request to the exposed local.driver.ts endpoint, which is reachable from any machine that can access the CRM instance.

Generated by OpenCVE AI on April 17, 2026 at 13:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Twenty CRM that resolves the local.driver.ts injection flaw.
  • Verify the vendor’s website for updated releases or patches that address this vulnerability.
  • Restrict external access to the CRM instance and block traffic to the local.driver.ts endpoint from untrusted networks.
  • Replace any eval or dynamic code execution with safe, validated alternatives in the application’s code editor or module loader.

Generated by OpenCVE AI on April 17, 2026 at 13:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution Vulnerability in Twenty CRM's local.driver.ts Module

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Twenty twenty
CPEs cpe:2.3:a:twenty:twenty:*:*:*:*:*:*:*:*
Vendors & Products Twenty twenty

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Twenty
Twenty crm
Vendors & Products Twenty
Twenty crm

Mon, 02 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.
References

Subscriptions

Twenty Crm Twenty
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-02T17:00:03.235Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26720

cve-icon Vulnrichment

Updated: 2026-03-02T16:59:32.103Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T16:16:25.517

Modified: 2026-03-04T14:47:23.503

Link: CVE-2026-26720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses