CVE-2026-44729

8.7 HIGH

Twenty is an open source CRM

Published: 2026-05-26 · Last updated: 2026-05-27

Severity and scoring

CVSS: 8.7 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79

Affected products

Vendor	Product
twenty	twenty

Description

Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed — enabling session hijacking, account takeover, and data theft.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44729
[Vendor advisory]https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7
[Vendor advisory]https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7

Related CVEs

Same vendor

CVE-2026-46624 — Twenty is an open source CRM (9.9 CRITICAL)

Same CWE

CVE-2026-2827 — The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in ... (4.7 MEDIUM)
CVE-2026-42558 — Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)
CVE-2026-53742 — Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template (5.4 MEDIUM)
CVE-2026-53741 — Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding (5.4 MEDIUM)
CVE-2026-53740 — Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice (5.4 MEDIUM)