CVE-2026-35451 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Twenty, an open source CRM platform. The vulnerability exists in the BlockNote editor component, specifically within the FileBlock component. Due to a lack of protocol validation and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of authenticated users, potentially leading to session hijacking, data theft, or unauthorized actions within the CRM system.
Affected Products
- Twenty CRM versions prior to 1.20.6
- Twenty BlockNote editor component (FileBlock)
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-35451 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35451
Vulnerability Analysis
This Stored XSS vulnerability (CWE-79) exploits improper input validation in the BlockNote editor's FileBlock component. The vulnerability stems from the application's failure to validate URI protocols when users or attackers insert file block content. The url property of file blocks accepts arbitrary values without sanitization, allowing javascript: protocol URIs to be stored and later executed when rendered.
Since this is a stored XSS vulnerability, malicious payloads persist in the database and execute whenever other users view the affected content. This creates a particularly dangerous attack surface in a CRM environment where multiple users may access shared records and notes.
Root Cause
The root cause is twofold: the client-side FileBlock component lacks protocol validation to filter dangerous URI schemes, and the server-side fails to adequately inspect block content before storing it in the database. This combination allows attackers with low-privilege access to inject malicious JavaScript that executes in the browsers of other authenticated users.
Attack Vector
The attack is network-based and requires low privileges to execute. An authenticated attacker crafts a file block with a malicious javascript: URI in the url property. When another user clicks on what appears to be a legitimate file attachment, the JavaScript executes in their browser context. This can be leveraged for session theft, phishing within the application, or performing unauthorized actions on behalf of the victim.
The vulnerability requires user interaction—specifically, the victim must click on the malicious file block link for the payload to execute. However, in a CRM environment where users routinely interact with shared content and file attachments, successful exploitation is highly probable.
Detection Methods for CVE-2026-35451
Indicators of Compromise
- Database records containing javascript: protocol URIs in file block content
- Unusual file block entries with non-standard URL schemes (e.g., javascript:, data:, vbscript:)
- User reports of unexpected behavior when clicking on file attachments
- Browser console logs showing injected script execution originating from CRM content
Detection Strategies
- Implement content security policies (CSP) to restrict inline script execution and detect policy violations
- Deploy web application firewalls (WAF) with rules to detect javascript: URI patterns in POST/PUT requests
- Enable logging and monitoring of database writes to the block content tables for suspicious patterns
- Use browser-based XSS auditing tools during security assessments to identify stored payload execution
Monitoring Recommendations
- Monitor application logs for file block creation events with unusual URL patterns
- Set up alerts for CSP violation reports that may indicate attempted XSS exploitation
- Implement database integrity monitoring to detect injection of malicious content
- Review user activity logs for accounts creating suspicious file block entries
How to Mitigate CVE-2026-35451
Immediate Actions Required
- Upgrade Twenty CRM to version 1.20.6 or later immediately
- Review existing database content for file blocks containing javascript: or other dangerous URI schemes
- Sanitize any identified malicious content from the database
- Enable Content Security Policy headers to provide defense-in-depth against XSS
Patch Information
This vulnerability is fixed in Twenty CRM version 1.20.6. The patch introduces proper protocol validation in the FileBlock component and enhanced server-side content inspection. The fix is available via the GitHub commit 8da69e0f77ea820a6845a4c3c025b6af3861d523. Additional details can be found in the GitHub Security Advisory GHSA-7w89-7q26-gj7q.
Workarounds
- If immediate patching is not possible, implement a reverse proxy or WAF rule to block requests containing javascript: URIs in block content
- Apply input validation at the database layer to reject file blocks with non-HTTP/HTTPS URL schemes
- Temporarily restrict file block creation permissions to trusted administrators until the patch can be applied
- Deploy strict Content Security Policy headers to mitigate the impact of any stored XSS payloads
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
