{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35451", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.192Z", "datePublished": "2026-04-21T16:22:30.378Z", "dateUpdated": "2026-04-21T16:56:02.097Z"}, "containers": {"cna": {"title": "Twenty: Stored XSS via BlockNote FileBlock", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q"}, {"name": "https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523", "tags": ["x_refsource_MISC"], "url": "https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523"}], "affected": [{"vendor": "twentyhq", "product": "twenty", "versions": [{"version": "< 1.20.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:22:30.378Z"}, "descriptions": [{"lang": "en", "value": "Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6."}], "source": {"advisory": "GHSA-7w89-7q26-gj7q", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T16:54:47.995335Z", "id": "CVE-2026-35451", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:56:02.097Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35451", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T16:54:47.995335Z"}}}], "references": [{"url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:55:52.016Z"}}], "cna": {"title": "Twenty: Stored XSS via BlockNote FileBlock", "source": {"advisory": "GHSA-7w89-7q26-gj7q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "twentyhq", "product": "twenty", "versions": [{"status": "affected", "version": "< 1.20.6"}]}], "references": [{"url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q", "name": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523", "name": "https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:22:30.378Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35451", "state": "PUBLISHED", "dateUpdated": "2026-04-21T16:56:02.097Z", "dateReserved": "2026-04-02T19:25:52.192Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:22:30.378Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6."}], "id": "CVE-2026-35451", "lastModified": "2026-04-22T21:17:23.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:53.087", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523"}, {"source": "security-advisories@github.com", "url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.20.6)"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "twenty", "source": "cna", "vendor": "twentyhq"}, "product": "twenty", "vendor": "twenty"}], "analysis": {"en": {"generated_at": "2026-04-21T22:40:40.069948+00:00", "value": {"mitigation_remediation": ["Upgrade the Twenty installation to version 1.20.6 or later to eliminate the vulnerable protocol handling.", "If an immediate upgrade is not feasible, disable the FileBlock attachment feature or restrict attachment uploads to trusted users.", "Search existing data for file blocks whose url property contains a javascript: URI and replace or remove them to prevent stored XSS."], "summary": {"action": "Upgrade", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is the open source CRM Twenty, produced by TwentyHQ. The vulnerability exists in any installation running a version earlier than 1.20.6; versions 1.20.6 and newer contain the remedy.", "description_and_impact": "Twenty contains a Stored Cross\u2011Site Scripting vulnerability in the BlockNote editor. Because the FileBlock component does not validate the protocol and the server lacks adequate inspection, an attacker can embed a javascript: URI into the url property of a file block. When a user later clicks the malicious attachment, arbitrary JavaScript is executed in the victim\u2019s browser, enabling code execution, session hijacking, or other client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 5.7 indicates medium severity, and the lack of an EPSS value means the exploitation probability is not quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to store a malicious file block, which likely requires some level of access to create or modify content, and a victim must click the injected link. The resulting code execution can compromise confidentiality and integrity of the victim\u2019s session."}}}}, "created": "2026-04-21T22:45:16.060467+00:00", "updated": "2026-04-22T11:46:13.112789+00:00", "vendors": ["twenty", "twenty$PRODUCT$twenty"]}