CVE-2026-46624— Twenty: SQL Injection via the timeZone field

CVSS 9.9 · Critical EPSS 0.15% · P35 Updated May 27, 2026

Possible ATT&CK Techniques 2AI

T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing Application

Affected Version Matrix 1

Vendor	Product	Version Range	Status
twentyhq	twenty	`>= 1.7.7, <= 1.16.7`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46624

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Twenty: SQL Injection via the timeZone field

Source: NVD (National Vulnerability Database)

Vulnerability Description

Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the database server by injecting SQL through the unsanitized timeZone parameter in the REST API groupBy endpoint. The timeZone field within the group_by query parameter is directly interpolated into a raw SQL expression using JavaScript template literals without any parameterization, validation, or escaping. This affects engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Twenty 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Twenty是Twenty开源的一个 CRM 平台。 Twenty 1.7.7版本至1.16.7版本存在安全漏洞，该漏洞源于通过未清理的timeZone参数进行SQL注入和PostgreSQL COPY TO PROGRAM攻击，可能导致认证用户执行任意OS命令。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
twentyhq	twenty	>= 1.7.7, <= 1.16.7	-

II. Public POCs for CVE-2026-46624

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-46624

请登录查看更多情报信息。

Vendor Advisories for CVE-2026-46624 (1)

🔗 SQL Injection on v <=1.16.7 · Advisory · twentyhq/twenty · GitHub Read full article x_refsource_CONFIRM

https://nvd.nist.gov/vuln/detail/CVE-2026-46624

IV. Related Vulnerabilities

Same product: twenty

Same vendor: twentyhq

Same weakness: CWE-78

V. Comments for CVE-2026-46624

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-46624— Twenty: SQL Injection via the timeZone field

Possible ATT&CK Techniques 2AI

Affected Version Matrix 1

I. Basic Information for CVE-2026-46624

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-46624

III. Intelligence Information for CVE-2026-46624

Vendor Advisories for CVE-2026-46624 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-46624

Leave a comment