CVE-2026-44729 - Vulnerability Details

- Twenty: Stored Cross-Site Scripting via Unsanitized File Serving (Missing Content-Type/Content-Disposition Headers)

Description

Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed — enabling session hijacking, account takeover, and data theft.

Published: 2026-05-26

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Twenty 1.18.0 and earlier expose file serving endpoints that do not set the Content‑Type, Content‑Disposition or X‑Content‑Type‑Options headers. An authenticated user can upload an HTML document containing JavaScript; when the victim later accesses the file, the browser executes the script in the context of the Twenty CRM domain. This flaw, classified as CWE‑79, can enable session hijacking, account takeover, and data exfiltration.

Affected Systems

The vulnerable product is Twenty, the open‑source customer relationship management system from twentyhq. Versions 1.18.0 and earlier are affected. The flaw is present in the file endpoints accessed via /files/* and /file/:fileFolder/:id.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity. No EPSS data is published, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated attacker to upload a malicious file and a victim to request that file; therefore, it is medium‑to‑high risk in environments where users can upload files without additional scrutiny.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

twentyhq

twenty

affected

Version	Status	Constraints
`<= 1.18.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:twenty:twenty:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Twenty

93%

Version	Status	Scheme	Platform
`[0,1.18.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Twenty CRM installation to a version newer than 1.18.0 once a patch is released by the vendor
Configure the web server or application layer to emit correct Content‑Type, Content‑Disposition, and X‑Content‑Type‑Options headers for all served files
Implement a content security policy that restricts inline script execution and prevents cross‑site scripting even if malicious content is served

Generated by OpenCVE AI on May 26, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00222.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7

History

Wed, 27 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:twenty:twenty::::::::

Wed, 27 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 27 May 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Twenty Twenty twenty
Vendors & Products		Twenty Twenty twenty

Tue, 26 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed — enabling session hijacking, account takeover, and data theft.
Title		Twenty: Stored Cross-Site Scripting via Unsanitized File Serving (Missing Content-Type/Content-Disposition Headers)
Weaknesses		CWE-79
References		https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Twenty Twenty

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-26T16:56:06.012Z

Updated: 2026-05-27T13:50:28.506Z

Reserved: 2026-05-07T18:04:17.309Z

Link: CVE-2026-44729

Vulnrichment

Updated: 2026-05-27T13:49:59.927Z

NVD

Status : Analyzed

Published: 2026-05-26T17:16:46.837

Modified: 2026-06-17T10:51:17.030

Link: CVE-2026-44729

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T09:30:26Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object