Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 npm packages depend on @typebot.io/js (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.10.1.
DescriptionGitHub Advisory
TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer (packages/embeds/js) renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser context when clicked. Since the viewer is typically embedded in a third-party site, the attacker's JavaScript runs in the host page's origin and can exfiltrate cookies and session tokens. This can result in any authenticated Typebot user (including those on the free tier) being able to create a bot with this payload. Shared bots are publicly accessible - no victim authentication is required. This issue has been resolved in version 3.16.0.
AnalysisAI
Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including free-tier users - to inject arbitrary JavaScript into a visitor's browser by setting a rich text bubble link URL to a javascript: URI. When a visitor clicks the malicious link within an embedded bot, the payload executes in the host page's origin (S:C scope change), enabling exfiltration of cookies and session tokens from the embedding third-party site. No public exploit code or active exploitation is confirmed at time of analysis; a vendor-released patch is available in v3.16.0.
Technical ContextAI
The vulnerable component is the Typebot JavaScript embed viewer (packages/embeds/js, bumped from v0.10.0 to v0.10.1 in the fix). Three rendering paths were affected: Bot.tsx (link() href for generic links), PlateBlock.tsx (rich text Plate editor anchor elements), and ImageBubble.tsx (image click links). All three assigned user-supplied URL strings directly to href attributes without validating the URI scheme, enabling javascript: pseudo-protocol injection - a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) instance. The CVSS S:C (Changed Scope) vector element reflects that the injected script executes not in the Typebot viewer's origin but in the embedding host page's origin. The fix introduces a new sanitizeUrl utility (packages/embeds/js/src/lib/sanitizeUrl.ts) that allowlists https:, http:, mailto:, and tel: protocols, returning '#' for anything else including javascript:, data:, and vbscript: URIs.
RemediationAI
Upgrade typebot.io to version 3.16.0, confirmed via the GitHub release tag at https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0. The fix is implemented in commit 2c3fc7267a5e1529ba4b1a2ab4f1edb3e3b8990b, which adds a sanitizeUrl utility that allowlists https:, http:, mailto:, and tel: URI schemes across all three affected rendering paths. For self-hosted deployments that cannot immediately upgrade, a compensating control is to restrict bot creation to trusted internal users only (remove public/free-tier registration), which eliminates the PR:L attack path; note this does not protect against malicious insiders. Blocking iframe embedding of the Typebot viewer entirely (via Content-Security-Policy frame-ancestors restrictions on the host site) would prevent the S:C host-origin execution impact but would also break legitimate embed functionality. Review any currently published bots for suspicious javascript: URIs in link fields before deploying the patch.
More in Typebot Io
View allServer-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to
Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th
Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden
Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31480
GHSA-hqmv-v56g-4m47