Home / Vulnerability Intelligence / CVE-2026-26720

CVE-2026-26720 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 4, 2026

Twenty CRM - Remote Code Execution

Published: March 2, 2026Updated: March 4, 2026PoC AvailableRemote Exploitable

Overview

Twenty CRM <= 1.15.0 contains a remote code execution caused by improper handling in local.driver.ts module, letting remote attackers execute arbitrary code, exploit requires network access.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 24.6%(Probability of exploitation in next 30 days)

Impact

Remote attackers can execute arbitrary code, potentially leading to full system compromise.

Mitigation

Update to the latest version beyond 1.15.0.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 2, 2026

🔴 CVE-2026-26720 - Critical (9.8) An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26720/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 2, 2026

View original post

GitHub Repositories(1 repo)

https://github.com/dillonkirsch/CVE-2026-26720-Twenty-RCE

Related Resources

Details

CVE ID: CVE-2026-26720
Severity: Critical
CVSS Score: 9.8
Type: undefined
Status: confirmed
EPSS: 24.6%
Social Posts: 2

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

24.6%Probability of exploitation in the next 30 days