PT-2026-43301 · Git+2 · Twenty

Thesanjok

·

Published

2026-05-26

·

Updated

2026-05-27

·

CVE-2026-44729

CVSS v3.1

8.7

High

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Twenty versions prior to 1.18.1
Description An issue exists in the file serving endpoints '/files/*' and '/file/:fileFolder/:id' where uploaded files are served using fileStream.pipe(res) without specifying Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript that the victim's browser will render within the context of the domain, potentially leading to session hijacking, account takeover, and data theft.
Recommendations Update to a version later than 1.18.0.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44729
GHSA-F5H2-3QW5-3QP7

Affected Products

Twenty