SSRF in Twentyhq Twenty

CVE-2026-33975

Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL par…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (13.5th percentile) — read the EPSS interpretation.