CVE-2026-35451
Twenty: Stored XSS via BlockNote FileBlock
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.7EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
21 abr 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Produtos afetados
twentyhq · twenty