CVE-2026-35451 MEDIUM

CVE-2026-35451: Twenty: Stored XSS via BlockNote FileBlock

Vendor Twentyhq
Product twenty
Weakness CWE-79 · XSS
Published April 21, 2026
Last update April 21, 2026

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 21, 2026 Record updated

Related vulnerabilities

04Related CVE