CVE-2026-46624

Name of the Vulnerable Software and Affected Versions Twenty CRM versions 1.7.7 through 1.16.7

Description A Remote Code Execution (RCE) issue exists via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If the Postgres user is a superuser, any authenticated user can execute arbitrary OS commands on the database server. This occurs because the timeZone parameter in the REST API 'groupBy' endpoint is directly interpolated into a raw SQL expression using JavaScript template literals without parameterization, validation, or escaping. This affects the get-group-by-expression.util.ts function.

Recommendations For versions 1.7.7 through 1.16.7, update the software to a version where the timeZone parameter is properly sanitized. As a temporary workaround, restrict the database user permissions to ensure the Postgres user is not a superuser to prevent the execution of OS commands.