Description

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.

INFO

Published Date :

2026-04-21T16:22:30.378Z

Last Modified :

2026-04-21T16:56:02.097Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35451 vulnerability.

Vendors Products
Twenty
  • Twenty
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35451.

URL Resource
https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523 cve-icon cve-icon
https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact