Cyber Resilience

CVE-2026-26720

CriticalPublic PoCRCE

Published: 02 March 2026

Published
02 March 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0082 52.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26720 is a critical-severity Code Injection (CWE-94) vulnerability in Twenty Twenty. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26720 is a critical code injection vulnerability (CWE-94) in Twenty CRM versions v1.15.0 and earlier, enabling remote arbitrary code execution via the local.driver.ts module. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it was published on 2026-03-02T16:16:25.517 and affects the open-source CRM software hosted at twenty.com.

A remote attacker requires no authentication, privileges, or user interaction to exploit the vulnerability over the network with low complexity. Successful exploitation allows full arbitrary code execution on the target system, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation details and further analysis are available in referenced resources, including a technical breakdown at https://dillonkirsch.com/post/locally_hosted_twenty_rce_cve_2026_26720/, a GitHub proof-of-concept repository at https://github.com/dillonkirsch/CVE-2026-26720-Twenty-RCE, and the vendor site at https://twenty.com. Security practitioners should review these for patching guidance and exploit details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue in Twenty CRM v1.15.0 and before allows a remote attacker to execute arbitrary code via the local.driver.ts module.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote arbitrary code execution in a public-facing CRM web application directly enables T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-46624Same product: Twenty Twenty
CVE-2026-44729Same product: Twenty Twenty
CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94

Affected Assets

twenty
twenty
≤ 1.15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-26720 by requiring timely identification, reporting, and patching of the code injection flaw in Twenty CRM's local.driver.ts module.

prevent

Prevents arbitrary code execution by enforcing validation of untrusted inputs to the vulnerable local.driver.ts module susceptible to CWE-94 code injection.

preventdetect

Boundary protection controls network communications to block or detect remote unauthenticated exploitation payloads targeting the Twenty CRM vulnerability.

References