Twenty: Stored Cross-Site Scripting via Unsanitized File Serving (Missing Content-Type/Content-Disposition...

8.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Description

Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed — enabling session hijacking, account takeover, and data theft.

AI Analysis

Stored Cross-Site Scripting via unsanitized file serving due to missing Content-Type and Content-Disposition headers

Basic Information

ID CVE-2026-44729

Source GitHub_M

Published May 26, 2026 at 16:56

Affected Product

Vendor twentyhq

Product twenty

Version <= 1.18.0

Affected Versions twentyhq twenty <= 1.18.0

CWE Classification

CWE-79

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor TwentyHQ

Product Twenty CRM

Version <= 1.18.0

References

github.com /twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7

{
    "lastseen": "",
    "description": "Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed \u2014 enabling session hijacking, account takeover, and data theft.",
    "published": "2026-05-26T16:56:06.012Z",
    "modified": "2026-05-26T16:56:06.012Z",
    "type": "cve",
    "title": "Twenty: Stored Cross-Site Scripting via Unsanitized File Serving (Missing Content-Type/Content-Disposition Headers)",
    "source": "GitHub_M",
    "references": "https://github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7",
    "id": "CVE-2026-44729",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "twentyhq twenty <= 1.18.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "twenty",
    "version": "<= 1.18.0",
    "vendor": "twentyhq",
    "ai_description": "Stored Cross-Site Scripting via unsanitized file serving due to missing Content-Type and Content-Disposition headers",
    "ai_severity": "High",
    "ai_vendor": "TwentyHQ",
    "ai_product": "Twenty CRM",
    "ai_version": "<= 1.18.0",
    "ai_score": 8.7
}

Twenty: Stored Cross-Site Scripting via Unsanitized File Serving (Missing Content-Type/Content-Disposition Headers)_CVE-2026-44729