Skip to main content

Typebot CVE-2026-39964

| EUVDEUVD-2026-31480 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-22 GitHub_M GHSA-hqmv-v56g-4m47
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
May 26, 2026 - 19:02 EUVD
Source Code Evidence Fetched
May 22, 2026 - 18:16 vuln.today
Analysis Generated
May 22, 2026 - 18:16 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @typebot.io/js (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.10.1.

DescriptionGitHub Advisory

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer (packages/embeds/js) renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser context when clicked. Since the viewer is typically embedded in a third-party site, the attacker's JavaScript runs in the host page's origin and can exfiltrate cookies and session tokens. This can result in any authenticated Typebot user (including those on the free tier) being able to create a bot with this payload. Shared bots are publicly accessible - no victim authentication is required. This issue has been resolved in version 3.16.0.

AnalysisAI

Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including free-tier users - to inject arbitrary JavaScript into a visitor's browser by setting a rich text bubble link URL to a javascript: URI. When a visitor clicks the malicious link within an embedded bot, the payload executes in the host page's origin (S:C scope change), enabling exfiltration of cookies and session tokens from the embedding third-party site. No public exploit code or active exploitation is confirmed at time of analysis; a vendor-released patch is available in v3.16.0.

Technical ContextAI

The vulnerable component is the Typebot JavaScript embed viewer (packages/embeds/js, bumped from v0.10.0 to v0.10.1 in the fix). Three rendering paths were affected: Bot.tsx (link() href for generic links), PlateBlock.tsx (rich text Plate editor anchor elements), and ImageBubble.tsx (image click links). All three assigned user-supplied URL strings directly to href attributes without validating the URI scheme, enabling javascript: pseudo-protocol injection - a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) instance. The CVSS S:C (Changed Scope) vector element reflects that the injected script executes not in the Typebot viewer's origin but in the embedding host page's origin. The fix introduces a new sanitizeUrl utility (packages/embeds/js/src/lib/sanitizeUrl.ts) that allowlists https:, http:, mailto:, and tel: protocols, returning '#' for anything else including javascript:, data:, and vbscript: URIs.

RemediationAI

Upgrade typebot.io to version 3.16.0, confirmed via the GitHub release tag at https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0. The fix is implemented in commit 2c3fc7267a5e1529ba4b1a2ab4f1edb3e3b8990b, which adds a sanitizeUrl utility that allowlists https:, http:, mailto:, and tel: URI schemes across all three affected rendering paths. For self-hosted deployments that cannot immediately upgrade, a compensating control is to restrict bot creation to trusted internal users only (remove public/free-tier registration), which eliminates the PR:L attack path; note this does not protect against malicious insiders. Blocking iframe embedding of the Typebot viewer entirely (via Content-Security-Policy frame-ancestors restrictions on the host site) would prevent the S:C host-origin execution impact but would also break legitimate embed functionality. Review any currently published bots for suspicious javascript: URIs in link fields before deploying the patch.

CVE-2026-33712 CRITICAL
10.0 May 22

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers

CVE-2026-48768 CRITICAL
9.3 Jun 17

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi

CVE-2026-28445 HIGH
8.7 May 22

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor

CVE-2026-48764 HIGH
8.2 Jun 17

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to

CVE-2026-49213 HIGH
8.1 Jul 10

Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared

CVE-2026-39965 HIGH
7.7 May 22

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe

CVE-2026-34207 HIGH
7.6 May 22

Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR

CVE-2026-48759 HIGH
7.1 Jun 17

Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th

CVE-2026-39968 HIGH
7.1 May 22

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden

CVE-2026-39969 MEDIUM
6.5 May 22

Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to

CVE-2026-39966 MEDIUM
6.5 May 22

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b

CVE-2026-28444 MEDIUM
6.5 May 22

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex

Share

CVE-2026-39964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy