Skip to main content

Typebot CVE-2026-48768

CRITICAL
Path Traversal (CWE-22)
2026-06-17 GitHub_M
9.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
vuln.today AI
9.3 CRITICAL

Unauthenticated network endpoint (AV:N/AC:L/PR:N/UI:N); cross-tenant write into a separate security authority gives S:C and I:H; minor C:L from key enumeration; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 00:00 vuln.today
Analysis Generated
Jun 18, 2026 - 00:00 vuln.today

DescriptionCVE.org

TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any anonymous visitor to a published bot with a file input can upload attacker-controlled HTML, SVG, or JS to attacker-chosen subpaths, including other tenants’ publicly served result paths, enabling arbitrary content hosting and potential stored XSS on the storage origin. ../ traversal is blocked by S3/MinIO canonicalization (signature mismatch), but forward-slash path injection is exploitable. This issue has been fixed in version 3.17.0.

AnalysisAI

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visitors of any published bot containing a file-input block to write attacker-controlled HTML, SVG, or JavaScript into arbitrary subpaths of the shared public S3 bucket. The flaw stems from an unauthenticated presigned-URL endpoint that trusts a raw fileName parameter and does not bind Content-Type, enabling stored XSS on the storage origin and content hosting under other tenants' result paths. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover published bot with file-input block
Delivery
POST crafted fileName to generate-upload-url
Exploit
Receive presigned PUT URL for cross-tenant key
Execution
Upload HTML/SVG/JS payload via PUT
Persist
Distribute link under victim tenant path
Impact
Victim browser executes stored XSS on storage origin

Vulnerability AssessmentAI

Exploitation Requires the target Typebot instance to have at least one published bot containing a file-input block (v3) whose generate-upload-url endpoint is reachable; no authentication, no user interaction, and no admin access are required, consistent with PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely aligned toward real priority: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N gives a pre-auth, low-complexity, no-interaction network attack, S:C captures the cross-tenant pivot, and I:H reflects the ability to write arbitrary files into another tenant's content path; C:L and A:N correctly reflect that this is a write/integrity primitive, not data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker browses any internet-reachable Typebot instance, finds or generates a published bot URL that includes a file-input block, and calls the public generate-upload-url endpoint with a crafted fileName like 'public/<victim-workspace>/results/<victim-bot>/poc.html'. The server returns a presigned PUT URL targeting that key; the attacker PUTs an HTML or SVG payload (Content-Type is not bound by the signature) and links victims to the now-attacker-controlled URL under the victim tenant's path, triggering stored XSS or hosted phishing on the storage origin.
Remediation Vendor-released patch: 3.17.0 - upgrade to https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0, which is the primary fix and resolves both the fileName sanitization and the missing Content-Type binding on presigned URLs. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Typebot.io deployments and identify instances running version 3.16.1 or earlier; immediately disable file-input blocks in all published bots. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33712 CRITICAL
10.0 May 22

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers

CVE-2026-28445 HIGH
8.7 May 22

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor

CVE-2026-48764 HIGH
8.2 Jun 17

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to

CVE-2026-49213 HIGH
8.1 Jul 10

Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared

CVE-2026-39965 HIGH
7.7 May 22

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe

CVE-2026-34207 HIGH
7.6 May 22

Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR

CVE-2026-48759 HIGH
7.1 Jun 17

Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th

CVE-2026-39968 HIGH
7.1 May 22

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden

CVE-2026-39969 MEDIUM
6.5 May 22

Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to

CVE-2026-39966 MEDIUM
6.5 May 22

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b

CVE-2026-28444 MEDIUM
6.5 May 22

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex

CVE-2026-39964 MEDIUM
5.4 May 22

Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre

Share

CVE-2026-48768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy