PT-2026-43301 · Git+2 · Twenty
Thesanjok
·
Published
2026-05-26
·
Updated
2026-05-27
·
CVE-2026-44729
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Twenty versions prior to 1.18.1
Description
An issue exists in the file serving endpoints '/files/*' and '/file/:fileFolder/:id' where uploaded files are served using
fileStream.pipe(res) without specifying Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript that the victim's browser will render within the context of the domain, potentially leading to session hijacking, account takeover, and data theft.Recommendations
Update to a version later than 1.18.0.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Twenty