CVE-2026-44729 HIGH

CVE-2026-44729: Twenty: Stored Cross-Site Scripting via Unsanitized File Serving (Missing Content-Type/Content-Disposition Headers)

Vendor Twentyhq

Product twenty

Weakness CWE-79 · XSS

Published May 26, 2026

Last update May 27, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed — enabling session hijacking, account takeover, and data theft.

Key dates

02Disclosure timeline

May 26, 2026 CVE published

May 27, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-44729

Related vulnerabilities

04Related CVE

CVE-2025-8720 Plugin README Parser <= 1.3.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via target Parameter CVE-2023-0295 Launchpad – Coming Soon & Maintenance Mode Plugin <= 1.0.13 - Authenticated (Administrator+) Cross-Site Scripting CVE-2024-4703 One Page Express Companion <= 1.6.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via one_page_express_contact_form Shortcode CVE-2025-2579 Lottie Player <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload CVE-2025-22545 WordPress iframe to embed plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability