Medium severity5.7NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026
CVE-2026-35451
CVE-2026-35451
Description
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
12- [Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th)SANS Internet Storm Center · May 15, 2026
- 73 Seconds to Breach, 24 Hours to Patch: The Case for Autonomous ValidationBleepingComputer · May 13, 2026
- European countries are exporting surveillance tech to countries with poor human rights records, report saysThe Record · May 12, 2026
- The State of Ransomware – Q1 2026Check Point Research · May 11, 2026
- How Dark Reading Lifted Off the Launchpad in 2006Dark Reading · May 4, 2026
- Yet another experiment proves it's too damn simple to poison large language modelsThe Register Security · Apr 29, 2026
- 20-Year-Old Malware Rewrites History of Cyber SabotageDark Reading · Apr 27, 2026
- Medieval Encrypted Letter DecodedSchneier on Security · Apr 27, 2026
- PhantomRPC: A new privilege escalation technique in Windows RPCSecurelist · Apr 24, 2026
- FakeWallet crypto stealer spreading through iOS apps in the App StoreSecurelist · Apr 20, 2026
- Virtual machines, virtually everywhere – and with real security gapsESET WeLiveSecurity · Mar 25, 2026
- Operation Alice Takes Down 370,000+ Dark Web SitesInfosecurity Magazine · Mar 23, 2026