Description
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.
Published: 2026-04-21
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Upgrade
AI Analysis

Impact

Twenty contains a Stored Cross‑Site Scripting vulnerability in the BlockNote editor. Because the FileBlock component does not validate the protocol and the server lacks adequate inspection, an attacker can embed a javascript: URI into the url property of a file block. When a user later clicks the malicious attachment, arbitrary JavaScript is executed in the victim’s browser, enabling code execution, session hijacking, or other client‑side attacks.

Affected Systems

The affected product is the open source CRM Twenty, produced by TwentyHQ. The vulnerability exists in any installation running a version earlier than 1.20.6; versions 1.20.6 and newer contain the remedy.

Risk and Exploitability

The CVSS score of 5.7 indicates medium severity, and the lack of an EPSS value means the exploitation probability is not quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to store a malicious file block, which likely requires some level of access to create or modify content, and a victim must click the injected link. The resulting code execution can compromise confidentiality and integrity of the victim’s session.

Generated by OpenCVE AI on April 21, 2026 at 22:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Twenty installation to version 1.20.6 or later to eliminate the vulnerable protocol handling.
  • If an immediate upgrade is not feasible, disable the FileBlock attachment feature or restrict attachment uploads to trusted users.
  • Search existing data for file blocks whose url property contains a javascript: URI and replace or remove them to prevent stored XSS.

Generated by OpenCVE AI on April 21, 2026 at 22:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Twenty
Twenty twenty
Vendors & Products Twenty
Twenty twenty

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.
Title Twenty: Stored XSS via BlockNote FileBlock
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Twenty Twenty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T16:56:02.097Z

Reserved: 2026-04-02T19:25:52.192Z

Link: CVE-2026-35451

cve-icon Vulnrichment

Updated: 2026-04-21T16:55:52.016Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T17:16:53.087

Modified: 2026-04-22T21:17:23.590

Link: CVE-2026-35451

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:13Z

Weaknesses