A vulnerability marked as critical has been reported in twentyhq twenty up to 1.16.7 . This affects the function group_by of the file engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts of the component REST API groupBy Endpoint . The manipulation of the argument timeZone leads to os command injection. This vulnerability is uniquely identified as CVE-2026-46624 . The attack is possible to be carried out remotely. No exploit exists.