T

Twenty Security Vulnerabilities (CVE)

Explore vulnerabilities and security advisories affecting Twenty products.

2 known CVE vulnerabilities tracked

Critical
1
High
1
Medium
0
Low
0
None
0

Vulnerabilities By Year

2
2026

Products Affected

Twenty 2

All Twenty CVEs

Recent Highest Score Oldest
CVE-2026-46624
9.9 critical

Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the

Twenty May 26, 2026
CVE-2026-44729
8.7 high

Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authen

Twenty May 26, 2026