VYPR
Medium severity5.7NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-35451

CVE-2026-35451

Description

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Twentyhq/Twentyreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <1.20.6

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.