A critical remote code execution vulnerability exists in Twenty CRM versions 1.7.7 through 1.16.7. The vulnerability stems from unsanitized user input in the timeZone parameter of the REST API groupBy endpoint, where the parameter is directly interpolated into raw SQL using JavaScript template literals without parameterization, validation, or escaping. An authenticated attacker can exploit this SQL inject [truncated]
## Summary Twenty CRM versions 1.18.0 and earlier contain a stored cross-site scripting (XSS) vulnerability in file serving endpoints. The application serves uploaded files without setting security headers (Content-Type, Content-Disposition, X-Content-Type-Options), allowing authenticated attackers to upload HTML files with embedded JavaScript that executes in the victim's browser within the Twenty CRM do [truncated]
