CVE-2026-44729

🗓️ 26 May 2026 16:56:06Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 15 Views🌐 WEB

Twenty CRM before 1.18.0 serves files without headers, enabling stored cross-site scripting.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-44729	26 May 202616:56	–	attackerkb
Circl	CVE-2026-44729	28 May 202600:07	–	circl
CNNVD	Twenty 跨站脚本漏洞	26 May 202600:00	–	cnnvd
Cvelist	CVE-2026-44729 Twenty: Stored Cross-Site Scripting via Unsanitized File Serving (Missing Content-Type/Content-Disposition Headers)	26 May 202616:56	–	cvelist
EUVD	EUVD-2026-31895	26 May 202616:56	–	euvd
NVD	CVE-2026-44729	26 May 202617:16	–	nvd
Positive Technologies	PT-2026-43301	26 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-44729	5 Jun 202619:11	–	redhatcve
Vulnrichment	CVE-2026-44729 Twenty: Stored Cross-Site Scripting via Unsanitized File Serving (Missing Content-Type/Content-Disposition Headers)	26 May 202616:56	–	vulnrichment

NVD

Vulners

Node

twenty twentyRange≤1.18.0

[
  {
    "vendor": "twentyhq",
    "product": "twenty",
    "versions": [
      {
        "version": "<= 1.18.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/twentyhq/twenty/security/advisories/GHSA-f5h2-3qw5-3qp7

Parameter	Position	Path	Description	CWE
fileFolder	path	/file/:fileFolder/:id	Serving uploaded files without proper headers via fileFolder/id path enables an attacker to access/upload HTML/JS that runs in the victim's browser under the domain, enabling session hijacking/credential theft.	CWE-79
id	path	/file/:fileFolder/:id	Serving uploaded files without proper headers via fileFolder/id path enables an attacker to access/upload HTML/JS that runs in the victim's browser under the domain, enabling session hijacking/credential theft.	CWE-79

17 Jun 2026 10:51Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.18.7

EPSS0.00222

SSVC

CWE-79