Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Twenty CRM v1.15.0 and before: Remote Code Execution Risk
CVE-2026-26720
Summary
A security issue in Twenty CRM versions prior to 1.15.0 allows a hacker to execute malicious code on your server, potentially gaining full control over your system. This could lead to data theft, system crashes, or other security breaches. Update to the latest version of Twenty CRM to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| twenty | twenty | <= 1.15.0 | – |
Original title
An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.
Original description
An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.
nvd CVSS3.1
9.8
Vulnerability type
CWE-94
Code Injection
- https://dillonkirsch.com/post/locally_hosted_twenty_rce_cve_2026_26720/ Exploit Third Party Advisory
- https://github.com/dillonkirsch/CVE-2026-26720-Twenty-RCE Exploit Third Party Advisory
- https://twenty.com Product
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026