CVE-2026-35451

Name of the Vulnerable Software and Affected Versions Twenty versions prior to 1.20.6

Description A Stored Cross-Site Scripting (XSS) issue exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment.

Recommendations Update to version 1.20.6.