CVE-2026-46624 | twentyhq twenty up to 1.16.7 REST API groupBy Endpoint get-group-by-expression.util.ts group_by timeZone os command injection (GHSA-jgx4-6mr9-9573)

A vulnerability marked as critical has been reported in twentyhq twenty up to 1.16.7. This affects the function group_by of the file engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts of the component REST API groupBy Endpoint. The manipulation of the argument timeZone leads to os command injection.

This vulnerability is uniquely identified as CVE-2026-46624. The attack is possible to be carried out remotely. No exploit exists.VulDB Recent EntriesRead More