CVE-2026-35451
Received Received - Intake
Stored XSS in Twenty CRM BlockNote Editor Enables JS Execution

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35451
EUVD
EUVD-2026-24161
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
twentyhq twenty to 1.20.6 (exc)
twentyhq twenty 1.20.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to execute arbitrary JavaScript in the context of a user session, potentially leading to session hijacking and theft of sensitive data stored in cookies or localStorage.

Such unauthorized access and exposure of sensitive data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Because the vulnerability enables attackers to perform unauthorized actions on behalf of users, including administrators, it increases the risk of data breaches and unauthorized data processing, which are critical compliance concerns under these standards.

Executive Summary

CVE-2026-35451 is a Stored Cross-Site Scripting (XSS) vulnerability in the BlockNote editor component of the Twenty CRM software prior to version 1.20.6.

The vulnerability occurs because the FileBlock component does not properly validate the URL protocol in the url property of a file block, allowing an attacker to inject a malicious javascript: URI.

When a user clicks on a malicious file attachment link containing this javascript: URI, arbitrary JavaScript code can execute in the user's browser.

This happens because the vulnerable code assigns the url value directly to the href attribute of an anchor tag without checking if the URL uses safe protocols like http, https, or mailto.

Impact Analysis

An authenticated attacker can exploit this vulnerability to execute arbitrary JavaScript in the context of any user who views and clicks the malicious file attachment link.

This can lead to session hijacking, theft of sensitive data stored in cookies or localStorage, and unauthorized actions performed on behalf of the victim user.

Because the attacker can target any user with access to the compromised note, including administrators, the impact can be significant.

The vulnerability requires the victim to click the malicious link, and the attacker must have low-level authentication privileges to create the malicious content.

Detection Guidance

Detection of this vulnerability involves identifying malicious payloads that inject javascript: URIs into the url property of file blocks within the BlockNote editor component of Twenty CRM.

One approach is to monitor or inspect GraphQL mutation requests, specifically the createNote mutation, for suspicious JSON payloads containing file blocks with URLs starting with "javascript:" or other unsafe protocols.

For example, you can capture and search network traffic or logs for patterns like:

  • Look for JSON payloads containing "block.props.url" fields with values starting with "javascript:".
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to filter HTTP POST requests to the GraphQL endpoint and inspect the request bodies.

Suggested commands include:

  • Using grep on server logs or captured traffic: grep -i 'javascript:' /path/to/logs
  • Using curl or similar tools to test the GraphQL endpoint with crafted payloads to see if unsafe URLs are accepted.
  • Example curl command to test (replace URL and auth as needed): curl -X POST https://your-twenty-instance/graphql \ -H 'Content-Type: application/json' \ -d '{"query":"mutation { createNote(input: {blocks: [{type: \"file\", props: {url: \"javascript:void(alert(1))\"}}]}) { id } }"}'
Mitigation Strategies

The primary mitigation step is to upgrade Twenty CRM to version 1.20.6 or later, where this vulnerability is fixed.

The fix includes strict server-side validation rejecting unsafe URL protocols in file blocks and client-side hardening to prevent rendering or execution of malicious javascript: URIs.

  • Upgrade Twenty CRM to version 1.20.6 or newer.
  • Ensure that server-side validation functions (such as validateBlocknoteFieldOrThrow) are in place and properly reject unsafe URLs.
  • Apply client-side updates that use the isSafeUrl utility to whitelist safe URL protocols (http, https, mailto, tel, relative paths) and block unsafe ones.
  • Add or enforce linting rules to prevent introduction of javascript: URLs in the codebase.
  • Educate users to avoid clicking suspicious file attachments or links until the patch is applied.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35451. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart