Product
twenty
6 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-46624
CVE-2026-44729
CVE-2026-27023
CVE-2026-26720
CVE-2024-28435
CVE-2024-28434
>= 1.7.7 and < 1.16.7
Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM
<= 1.18.0
Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:i
< 1.18.0
Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the
<= 1.15.0
An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.
all versions
The CRM platform Twenty version 0.3.0 is vulnerable to SSRF via file upload.
all versions
The CRM platform Twenty is vulnerable to stored cross site scripting via file upload in version 0.3.0. A crafted svg file can trig