Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed — enabling session hijacking, account takeover, and data theft.
References
| Link | Resource |
|---|---|
| https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7 | Exploit Mitigation Vendor Advisory |
| https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7 | Exploit Mitigation Vendor Advisory |
Configurations
History
27 May 2026, 14:45
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:twenty:twenty:*:*:*:*:*:*:*:* | |
| References | () https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7 - Exploit, Mitigation, Vendor Advisory | |
| First Time |
Twenty
Twenty twenty |
27 May 2026, 14:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7 - |
26 May 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-26 17:16
Updated : 2026-05-27 14:45
NVD link : CVE-2026-44729
Mitre link : CVE-2026-44729
CVE.ORG link : CVE-2026-44729
JSON object : View
Products Affected
twenty
- twenty
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')