https://dillonkirsch.com/tags/node.js/ Recent content in Node.js on Dillon Kirsch Hugo -- gohugo.io en-us Fri, 27 Feb 2026 00:00:00 +0000 https://dillonkirsch.com/post/locally_hosted_twenty_rce_cve_2026_26720/ Fri, 27 Feb 2026 00:00:00 +0000 https://dillonkirsch.com/post/locally_hosted_twenty_rce_cve_2026_26720/ From Learning to Root: How I Found a Remote Code Execution Vulnerability in Twenty CRM Code reviews and web application security aren’t exactly my wheelhouse. I wanted to change that, so I challenged myself to audit open-source codebases and look for potential security gaps. I chose Twenty, a popular open-source CRM with over 38,000 stars on GitHub. While exploring their serverless module implementation, I came across a file that immediately caught my eye: packages/twenty-server/src/engine/core-modules/serverless/drivers/local.