{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26720", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-02T17:00:03.235Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-02T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-02T15:09:05.539Z"}, "descriptions": [{"lang": "en", "value": "An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://twenty.com"}, {"url": "https://github.com/dillonkirsch/CVE-2026-26720-Twenty-RCE"}, {"url": "https://dillonkirsch.com/post/locally_hosted_twenty_rce_cve_2026_26720/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T16:55:41.360991Z", "id": "CVE-2026-26720", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T17:00:03.235Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26720", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-02T16:55:41.360991Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T16:59:32.103Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://twenty.com"}, {"url": "https://github.com/dillonkirsch/CVE-2026-26720-Twenty-RCE"}, {"url": "https://dillonkirsch.com/post/locally_hosted_twenty_rce_cve_2026_26720/"}], "descriptions": [{"lang": "en", "value": "An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-02T15:09:05.539Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26720", "state": "PUBLISHED", "dateUpdated": "2026-03-02T17:00:03.235Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-02T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:twenty:twenty:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEC17E06-01B2-46B3-A175-9193D82BE6CF", "versionEndIncluding": "1.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module."}], "id": "CVE-2026-26720", "lastModified": "2026-03-04T14:47:23.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-02T16:16:25.517", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://dillonkirsch.com/post/locally_hosted_twenty_rce_cve_2026_26720/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/dillonkirsch/CVE-2026-26720-Twenty-RCE"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://twenty.com"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.15.0]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "crm", "vendor": "twenty"}], "analysis": {"en": {"generated_at": "2026-04-17T13:38:37.477044+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of Twenty CRM that resolves the local.driver.ts injection flaw.", "Verify the vendor\u2019s website for updated releases or patches that address this vulnerability.", "Restrict external access to the CRM instance and block traffic to the local.driver.ts endpoint from untrusted networks.", "Replace any eval or dynamic code execution with safe, validated alternatives in the application\u2019s code editor or module loader."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Twenty CRM versions 1.15.0 and earlier are affected. The vulnerability exists in the local.driver.ts file and is present in all releases that have not been patched beyond version 1.15.0.", "description_and_impact": "An insecure implementation in the local.driver.ts module of Twenty CRM allows a remote attacker to inject and execute arbitrary code. The vulnerability stems from unauthenticated code evaluation exposed through this module, which is classified as Code Injection (CWE-94). An attacker who can reach the CRM instance can exploit the flaw to run any system command, compromising confidentiality, integrity, and availability of the entire server.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.8, indicating critical severity. EPSS indicates a probability of exploitation below 1%, suggesting that, at present, exploitation attempts are unlikely but the risk remains high due to the lack of a public fix. The vulnerability is not listed in the CISA known exploited vulnerabilities catalog as of this assessment. Exploitation requires sending a crafted request to the exposed local.driver.ts endpoint, which is reachable from any machine that can access the CRM instance."}}}}, "created": "2026-03-03T08:46:50.199619+00:00", "title": "Remote Code Execution Vulnerability in Twenty CRM's local.driver.ts Module", "updated": "2026-04-17T13:45:16.029169+00:00", "vendors": ["twenty", "twenty$PRODUCT$crm"]}