Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 npm packages depend on @typebot.io/js (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.10.1.
DescriptionGitHub Advisory
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via Solid's innerHTML directive without any sanitization, even though DOMPurify is already a dependency and is used elsewhere in the codebase (e.g., StreamingBubble.tsx). Because rating blocks are not flagged as isUnsafe by the import sanitizer and the builder preview renders bots inline on the builder's own origin (builder.typebot.io) under a CSP permitting 'unsafe-inline', a malicious imported or collaborator-crafted typebot can execute arbitrary HTML/JS in the builder's authenticated context, bypassing the Web Worker sandbox that protects Script blocks during preview. This allows session hijacking and privilege escalation within the builder application. This issue has been fixed in version 3.16.0.
AnalysisAI
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.
Technical ContextAI
Typebot is an open-source chatbot builder (CPE cpe:2.3:a:baptistearno:typebot.io) whose embed package uses SolidJS, where the RatingButton component passes the user-controlled customIcon.svg string directly to Solid's innerHTML directive - a sink equivalent to React's dangerouslySetInnerHTML. This is a textbook CWE-79 (Improper Neutralization of Input During Web Page Generation) where DOMPurify was already a project dependency and used in StreamingBubble.tsx, but was never invoked on the rating block's SVG payload. Compounding the sink exposure, the import sanitizer did not flag rating blocks as isUnsafe, and the builder origin's CSP permits 'unsafe-inline' scripts, which neutralizes the Web Worker sandbox that normally isolates Script blocks during preview rendering.
RemediationAI
Vendor-released patch: upgrade Typebot to version 3.16.0 or later, available at https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0; the fix commit 474ecbf46bc47a75265bada2599f12b2179de375 adds DOMPurify-based sanitizeSvgFragment and sanitizeHtmlFragment helpers and applies sanitizeSvgFragment to rating-block customIcon.svg and sanitizeHtmlFragment to file-block placeholder labels inside the import sanitizer. For self-hosted operators who cannot immediately upgrade, restrict who can import typebots or invite collaborators (disable open imports, gate collaborator add to verified workspace admins), and review existing typebots for rating blocks containing <script>, on*= handlers, or javascript: URIs in customIcon.svg before opening them in the builder - note this manual review does not scale and will miss obfuscated payloads. Tightening the builder CSP to remove 'unsafe-inline' is the strongest compensating control but will break legitimate inline-script features of the builder preview, so it should only be applied if you can validate the builder still functions; consult the GHSA-6m7c-xfhp-p9fh advisory for vendor guidance.
More in Typebot Io
View allServer-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to
Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th
Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden
Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex
Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31466
GHSA-6m7c-xfhp-p9fh