Suggestions search

All statuses

Filter by:

With package: gnome-2048

Found 2 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-35451

5.7 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 day, 22 hours ago Activity log

Created suggestion 1 day, 22 hours ago

Twenty: Stored XSS via BlockNote FileBlock

Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: URI into the url property of a file block. This allows the execution of arbitrary JavaScript when a user clicks on the malicious file attachment. This vulnerability is fixed in 1.20.6.

References

https://github.com/twentyhq/twenty/security/advisories/GHSA-7w89-7q26-gj7q exploitx_refsource_CONFIRM
https://github.com/twentyhq/twenty/commit/8da69e0f77ea820a6845a4c3c025b6af3861d523 x_refsource_MISC

Affected products

twenty

==< 1.20.6

Matching in nixpkgs

pkgs.gnome-2048

Obtain the 2048 tile

nixos-unstable 3.38.2
- nixpkgs-unstable 3.38.2
- nixos-unstable-small 3.38.2
nixos-25.11 3.38.2
- nixos-25.11-small 3.38.2
- nixpkgs-25.11-darwin 3.38.2

pkgs.wordpressPackages.themes.twentytwenty

None

nixos-unstable 3.0
- nixpkgs-unstable 3.0
- nixos-unstable-small 3.0
nixos-25.11 2.9
- nixos-25.11-small 2.9
- nixpkgs-25.11-darwin 2.9

pkgs.wordpressPackages.themes.twentynineteen

None

nixos-unstable 3.2
- nixpkgs-unstable 3.2
- nixos-unstable-small 3.2
nixos-25.11 3.1
- nixos-25.11-small 3.1
- nixpkgs-25.11-darwin 3.1

pkgs.wordpressPackages.themes.twentytwentyone

None

nixos-unstable 2.7
- nixpkgs-unstable 2.7
- nixos-unstable-small 2.7
nixos-25.11 2.5
- nixos-25.11-small 2.5
- nixpkgs-25.11-darwin 2.5

pkgs.wordpressPackages.themes.twentytwentytwo

None

nixos-unstable 2.1
- nixpkgs-unstable 2.1
- nixos-unstable-small 2.1
nixos-25.11 2.0
- nixos-25.11-small 2.0
- nixpkgs-25.11-darwin 2.0

pkgs.wordpressPackages.themes.twentytwentyfive

None

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.2
- nixos-25.11-small 1.2
- nixpkgs-25.11-darwin 1.2

pkgs.wordpressPackages.themes.twentytwentyfour

None

nixos-unstable 1.4
- nixpkgs-unstable 1.4
- nixos-unstable-small 1.4
nixos-25.11 1.3
- nixos-25.11-small 1.3
- nixpkgs-25.11-darwin 1.3

pkgs.wordpressPackages.themes.twentytwentythree

None

nixos-unstable 1.6
- nixpkgs-unstable 1.6
- nixos-unstable-small 1.6
nixos-25.11 1.6
- nixos-25.11-small 1.6
- nixpkgs-25.11-darwin 1.6

Package maintainers

@hedning Tor Hedin Brønner <torhedinbronner@gmail.com>
@jtojnar Jan Tojnar <jtojnar@gmail.com>
@dasj19 Daniel Șerbănescu <daniel@serbanescu.dk>
@bobby285271 Bobby Rong <rjl931189261@126.com>

Untriaged

Permalink CVE-2026-27023

5.0 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 month, 2 weeks ago Activity log

Created suggestion 1 month, 2 weeks ago

Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client

Twenty is an open source CRM. Prior to version 1.18, the SSRF protection in SecureHttpClientService validated request URLs at the request level but did not validate redirect targets. An authenticated user who could control outbound request URLs (e.g., webhook endpoints, image URLs) could bypass private IP blocking by redirecting through an attacker-controlled server. This issue has been patched in version 1.18.