Skip to main content

Typebot EUVDEUVD-2026-31466

| CVE-2026-28445 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-22 GitHub_M GHSA-6m7c-xfhp-p9fh
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 26, 2026 - 18:02 EUVD
Source Code Evidence Fetched
May 22, 2026 - 16:45 vuln.today
Analysis Generated
May 22, 2026 - 16:45 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @typebot.io/js (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.10.1.

DescriptionGitHub Advisory

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via Solid's innerHTML directive without any sanitization, even though DOMPurify is already a dependency and is used elsewhere in the codebase (e.g., StreamingBubble.tsx). Because rating blocks are not flagged as isUnsafe by the import sanitizer and the builder preview renders bots inline on the builder's own origin (builder.typebot.io) under a CSP permitting 'unsafe-inline', a malicious imported or collaborator-crafted typebot can execute arbitrary HTML/JS in the builder's authenticated context, bypassing the Web Worker sandbox that protects Script blocks during preview. This allows session hijacking and privilege escalation within the builder application. This issue has been fixed in version 3.16.0.

AnalysisAI

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.

Technical ContextAI

Typebot is an open-source chatbot builder (CPE cpe:2.3:a:baptistearno:typebot.io) whose embed package uses SolidJS, where the RatingButton component passes the user-controlled customIcon.svg string directly to Solid's innerHTML directive - a sink equivalent to React's dangerouslySetInnerHTML. This is a textbook CWE-79 (Improper Neutralization of Input During Web Page Generation) where DOMPurify was already a project dependency and used in StreamingBubble.tsx, but was never invoked on the rating block's SVG payload. Compounding the sink exposure, the import sanitizer did not flag rating blocks as isUnsafe, and the builder origin's CSP permits 'unsafe-inline' scripts, which neutralizes the Web Worker sandbox that normally isolates Script blocks during preview rendering.

RemediationAI

Vendor-released patch: upgrade Typebot to version 3.16.0 or later, available at https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0; the fix commit 474ecbf46bc47a75265bada2599f12b2179de375 adds DOMPurify-based sanitizeSvgFragment and sanitizeHtmlFragment helpers and applies sanitizeSvgFragment to rating-block customIcon.svg and sanitizeHtmlFragment to file-block placeholder labels inside the import sanitizer. For self-hosted operators who cannot immediately upgrade, restrict who can import typebots or invite collaborators (disable open imports, gate collaborator add to verified workspace admins), and review existing typebots for rating blocks containing <script>, on*= handlers, or javascript: URIs in customIcon.svg before opening them in the builder - note this manual review does not scale and will miss obfuscated payloads. Tightening the builder CSP to remove 'unsafe-inline' is the strongest compensating control but will break legitimate inline-script features of the builder preview, so it should only be applied if you can validate the builder still functions; consult the GHSA-6m7c-xfhp-p9fh advisory for vendor guidance.

CVE-2026-33712 CRITICAL
10.0 May 22

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers

CVE-2026-48768 CRITICAL
9.3 Jun 17

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi

CVE-2026-48764 HIGH
8.2 Jun 17

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to

CVE-2026-49213 HIGH
8.1 Jul 10

Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared

CVE-2026-39965 HIGH
7.7 May 22

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe

CVE-2026-34207 HIGH
7.6 May 22

Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR

CVE-2026-48759 HIGH
7.1 Jun 17

Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th

CVE-2026-39968 HIGH
7.1 May 22

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden

CVE-2026-39969 MEDIUM
6.5 May 22

Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to

CVE-2026-39966 MEDIUM
6.5 May 22

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b

CVE-2026-28444 MEDIUM
6.5 May 22

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex

CVE-2026-39964 MEDIUM
5.4 May 22

Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including fre

Share

EUVD-2026-31466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy