CVE-2026-35451
Stored XSS in Twenty CRM BlockNote Editor Enables JS Execution
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| twentyhq | twenty | to 1.20.6 (exc) |
| twentyhq | twenty | 1.20.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35451 is a Stored Cross-Site Scripting (XSS) vulnerability in the BlockNote editor component of the Twenty CRM software prior to version 1.20.6.
The vulnerability occurs because the FileBlock component does not properly validate the URL protocol in the url property of a file block, allowing an attacker to inject a malicious javascript: URI.
When a user clicks on a malicious file attachment link containing this javascript: URI, arbitrary JavaScript code can execute in the user's browser.
This happens because the vulnerable code assigns the url value directly to the href attribute of an anchor tag without checking if the URL uses safe protocols like http, https, or mailto.
How can this vulnerability impact me? :
An authenticated attacker can exploit this vulnerability to execute arbitrary JavaScript in the context of any user who views and clicks the malicious file attachment link.
This can lead to session hijacking, theft of sensitive data stored in cookies or localStorage, and unauthorized actions performed on behalf of the victim user.
Because the attacker can target any user with access to the compromised note, including administrators, the impact can be significant.
The vulnerability requires the victim to click the malicious link, and the attacker must have low-level authentication privileges to create the malicious content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying malicious payloads that inject javascript: URIs into the url property of file blocks within the BlockNote editor component of Twenty CRM.
One approach is to monitor or inspect GraphQL mutation requests, specifically the createNote mutation, for suspicious JSON payloads containing file blocks with URLs starting with "javascript:" or other unsafe protocols.
For example, you can capture and search network traffic or logs for patterns like:
- Look for JSON payloads containing "block.props.url" fields with values starting with "javascript:".
- Use network monitoring tools (e.g., tcpdump, Wireshark) to filter HTTP POST requests to the GraphQL endpoint and inspect the request bodies.
Suggested commands include:
- Using grep on server logs or captured traffic: grep -i 'javascript:' /path/to/logs
- Using curl or similar tools to test the GraphQL endpoint with crafted payloads to see if unsafe URLs are accepted.
- Example curl command to test (replace URL and auth as needed): curl -X POST https://your-twenty-instance/graphql \ -H 'Content-Type: application/json' \ -d '{"query":"mutation { createNote(input: {blocks: [{type: \"file\", props: {url: \"javascript:void(alert(1))\"}}]}) { id } }"}'
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Twenty CRM to version 1.20.6 or later, where this vulnerability is fixed.
The fix includes strict server-side validation rejecting unsafe URL protocols in file blocks and client-side hardening to prevent rendering or execution of malicious javascript: URIs.
- Upgrade Twenty CRM to version 1.20.6 or newer.
- Ensure that server-side validation functions (such as validateBlocknoteFieldOrThrow) are in place and properly reject unsafe URLs.
- Apply client-side updates that use the isSafeUrl utility to whitelist safe URL protocols (http, https, mailto, tel, relative paths) and block unsafe ones.
- Add or enforce linting rules to prevent introduction of javascript: URLs in the codebase.
- Educate users to avoid clicking suspicious file attachments or links until the patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary JavaScript in the context of a user session, potentially leading to session hijacking and theft of sensitive data stored in cookies or localStorage.
Such unauthorized access and exposure of sensitive data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Because the vulnerability enables attackers to perform unauthorized actions on behalf of users, including administrators, it increases the risk of data breaches and unauthorized data processing, which are critical compliance concerns under these standards.