Twentyhq Twenty
5 CVEs affecting Twentyhq Twenty. Latest disclosed: 2026-05-26. Critical: 1, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-46624 | Critical | 9.9 | 2026-05-26 | Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection… |
CVE-2026-44729 | High | 8.7 | 2026-05-26 | Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using… |
CVE-2026-35451 | Medium | 5.7 | 2026-04-21 | Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of pro… |
CVE-2026-27023 | Medium | 5.0 | 2026-03-05 | Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not val… |
CVE-2026-33975 | | 2026-05-05 | Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be… |