CVE-2026-44729

CVSS Score & Metrics

Base Score

8.7 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N                                    

Vulnerability Description

Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed — enabling session hijacking, account takeover, and data theft.

Vulnerability Details

Published Date

May 26, 2026

Last Modified

May 26, 2026

CWE ID

CWE-79

Source

NVD

Vendor

twentyhq

Product

twenty

External References

https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment