Skip to main content

Typebot Io

15 CVEs product

Monthly

CVE-2026-49213 HIGH PATCH This Week

Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared SSRF validator using the IPv6 unspecified address :: (and its expanded form), which validateIPAddress in packages/lib/src/ssrf/validateHttpReqUrl.ts fails to block. By configuring a server-side HTTP Request block or guarded script fetch, an attacker coerces the Typebot server to reach local HTTP services via safeKy, including flows reachable through startChat and continueChat endpoints. No public exploit identified at time of analysis, but the fix is confirmed in 3.17.2 and the technical root cause is documented in the vendor advisory.

SSRF Typebot Io
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-48764 HIGH This Week

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to bypass SSRF protections via DNS rebinding, reaching internal services and cloud metadata endpoints. The validator resolves a hostname once for allowlist checks, but the subsequent HTTP request performs a fresh DNS resolution without IP pinning, creating a time-of-check to time-of-use (TOCTOU) gap. No public exploit identified at time of analysis, though the fix commit and detailed advisory are publicly available on GitHub.

SSRF Typebot Io
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-48768 CRITICAL Act Now

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visitors of any published bot containing a file-input block to write attacker-controlled HTML, SVG, or JavaScript into arbitrary subpaths of the shared public S3 bucket. The flaw stems from an unauthenticated presigned-URL endpoint that trusts a raw fileName parameter and does not bind Content-Type, enabling stored XSS on the storage origin and content hosting under other tenants' result paths. No public exploit identified at time of analysis, but the CVSS 9.3 (scope-changed) reflects significant cross-tenant impact.

Path Traversal XSS Typebot Io
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-48759 HIGH This Week

Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete theme templates belonging to other workspaces by supplying a foreign themeTemplateId to the handleSaveThemeTemplate and handleDeleteThemeTemplate handlers. The handlers verify only that the caller is a non-guest member of the workspaceId argument but execute Prisma queries that omit workspaceId from the WHERE clause, producing an Insecure Direct Object Reference (CWE-639). No public exploit identified at time of analysis, and the issue was remediated in Typebot 3.16.0.

Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39969 MEDIUM This Month

{workspaceId}/whatsapp/{credentialsId}/webhook ignores the x-hub-signature-256 header that Meta includes with every legitimate delivery, and because both path parameters are semi-public by design - appearing in web server access logs and Meta's webhook configuration dashboard - the attack surface is readily discoverable. Successful exploitation allows an attacker to trigger arbitrary bot automation flows, consume API resources, and abuse external service integrations using the workspace owner's stored credentials. No public exploit identified at time of analysis; vendor-released patch available in version 3.17.0.

Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39967 LOW Monitor

Cross-typebot result data leakage in Typebot versions 3.15.2 and prior allows an authenticated user to read session variables, prior answers, and PII from a different typebot by supplying a foreign resultId to the startChat endpoint. The bot engine's findResult query omits typebotId from its database filter (CWE-639 IDOR), so any valid result record is returned regardless of which typebot owns it. If the attacker possesses a valid CUID2 resultId from another typebot and that typebot has rememberUser enabled, they can read the original user's names, emails, phone numbers, and other session variables exposed through matching variable names. No public exploit has been identified at time of analysis; vendor-released patch is available in version 3.16.0.

Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-39968 HIGH This Week

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access credentials from arbitrary workspaces via the preview chat endpoint. The bot-engine's getCredentials() utility uses a falsy check on workspaceId, so supplying an empty string bypasses ownership validation entirely, enabling credential theft, external service abuse, and data breach. This is an incomplete fix for the prior advisory GHSA-4xc5-wfwc-jw47, and no public exploit has been identified at time of analysis though the patch commit is public.

Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-39966 MEDIUM This Month

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a broken authorization check in the getLinkedTypebots API endpoint, constituting a classic IDOR. The root cause is a JavaScript async/await misuse: Array.filter() is synchronous, so passing it an async callback causes every bot to pass the filter - the isReadTypebotForbidden predicate is never actually evaluated. Sensitive data leaked includes embedded credentials, API keys, PII stored as variables, webhook URLs, and integration configurations from any other user's private workspace bots. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the exposure of hardcoded secrets elevates practical risk significantly beyond the 6.5 CVSS score suggests.

Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39970 This Week

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims' browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0.

XSS Typebot Io
NVD GitHub
EPSS
0.0%
CVE-2026-39965 HIGH This Week

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpReqUrl() SSRF filter by chaining an attacker-controlled HTTP 302 redirect, since the underlying ky and fetch clients follow redirects without re-validating the destination. This enables reaching AWS instance metadata at 169.254.169.254, private subnets, and container-internal services from the Typebot server, with realistic impact including theft of cloud IAM credentials. No public exploit identified at time of analysis, and the issue is fixed in version 3.16.0.

Open Redirect SSRF Typebot Io
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-39964 npm MEDIUM PATCH GHSA This Month

Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including free-tier users - to inject arbitrary JavaScript into a visitor's browser by setting a rich text bubble link URL to a javascript: URI. When a visitor clicks the malicious link within an embedded bot, the payload executes in the host page's origin (S:C scope change), enabling exfiltration of cookies and session tokens from the embedding third-party site. No public exploit code or active exploitation is confirmed at time of analysis; a vendor-released patch is available in v3.16.0.

XSS Typebot Io
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-34207 HIGH This Week

Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSRF protections in Webhook and HTTP Request blocks by supplying attacker-controlled hostnames that resolve via DNS to loopback (127.0.0.1), cloud metadata (169.254.169.254), or RFC1918 private addresses. The validation logic only inspected the URL string and literal IP formats without performing DNS resolution, so a benign-looking domain could route the backend HTTP client to internal targets. No public exploit identified at time of analysis, though the GitHub Security Advisory and fix commit are publicly visible.

SSRF Typebot Io
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-33712 CRITICAL Act Now

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers to abuse the preview chat endpoint to make arbitrary internal HTTP requests from the server. The flaw stems from the isolated-vm sandbox's fetch function calling Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects HTTP Request blocks, bypassing mitigations added after GHSA-8gq9-rw7v-3jpr. No public exploit identified at time of analysis, but the CVSS 10.0 (Critical) score with scope-changed impact indicates severe risk for both self-hosted and hosted deployments.

Node.js Authentication Bypass SSRF Typebot Io
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-28445 npm HIGH PATCH GHSA This Week

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.

XSS Privilege Escalation Typebot Io
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-28444 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read execution logs belonging to other workspaces by supplying an arbitrary victim resultId alongside their own authorized typebotId. The endpoint authorizes the caller by typebotId but fetches log records by resultId alone, skipping cross-ownership validation that all peer endpoints in the same router correctly enforce. Exploitation exposes sensitive runtime data including HTTP response bodies, AI model outputs, and webhook payloads. No public exploit or CISA KEV listing has been identified at time of analysis, but the straightforward nature of the IDOR - requiring only a valid session and a guessed or enumerated resultId - makes unauthorized data access realistic for any authenticated platform user.

Information Disclosure Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared SSRF validator using the IPv6 unspecified address :: (and its expanded form), which validateIPAddress in packages/lib/src/ssrf/validateHttpReqUrl.ts fails to block. By configuring a server-side HTTP Request block or guarded script fetch, an attacker coerces the Typebot server to reach local HTTP services via safeKy, including flows reachable through startChat and continueChat endpoints. No public exploit identified at time of analysis, but the fix is confirmed in 3.17.2 and the technical root cause is documented in the vendor advisory.

SSRF Typebot Io
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to bypass SSRF protections via DNS rebinding, reaching internal services and cloud metadata endpoints. The validator resolves a hostname once for allowlist checks, but the subsequent HTTP request performs a fresh DNS resolution without IP pinning, creating a time-of-check to time-of-use (TOCTOU) gap. No public exploit identified at time of analysis, though the fix commit and detailed advisory are publicly available on GitHub.

SSRF Typebot Io
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visitors of any published bot containing a file-input block to write attacker-controlled HTML, SVG, or JavaScript into arbitrary subpaths of the shared public S3 bucket. The flaw stems from an unauthenticated presigned-URL endpoint that trusts a raw fileName parameter and does not bind Content-Type, enabling stored XSS on the storage origin and content hosting under other tenants' result paths. No public exploit identified at time of analysis, but the CVSS 9.3 (scope-changed) reflects significant cross-tenant impact.

Path Traversal XSS Typebot Io
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete theme templates belonging to other workspaces by supplying a foreign themeTemplateId to the handleSaveThemeTemplate and handleDeleteThemeTemplate handlers. The handlers verify only that the caller is a non-guest member of the workspaceId argument but execute Prisma queries that omit workspaceId from the WHERE clause, producing an Insecure Direct Object Reference (CWE-639). No public exploit identified at time of analysis, and the issue was remediated in Typebot 3.16.0.

Authentication Bypass Typebot Io
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

{workspaceId}/whatsapp/{credentialsId}/webhook ignores the x-hub-signature-256 header that Meta includes with every legitimate delivery, and because both path parameters are semi-public by design - appearing in web server access logs and Meta's webhook configuration dashboard - the attack surface is readily discoverable. Successful exploitation allows an attacker to trigger arbitrary bot automation flows, consume API resources, and abuse external service integrations using the workspace owner's stored credentials. No public exploit identified at time of analysis; vendor-released patch available in version 3.17.0.

Authentication Bypass Typebot Io
NVD GitHub
EPSS 0% CVSS 3.1
LOW Monitor

Cross-typebot result data leakage in Typebot versions 3.15.2 and prior allows an authenticated user to read session variables, prior answers, and PII from a different typebot by supplying a foreign resultId to the startChat endpoint. The bot engine's findResult query omits typebotId from its database filter (CWE-639 IDOR), so any valid result record is returned regardless of which typebot owns it. If the attacker possesses a valid CUID2 resultId from another typebot and that typebot has rememberUser enabled, they can read the original user's names, emails, phone numbers, and other session variables exposed through matching variable names. No public exploit has been identified at time of analysis; vendor-released patch is available in version 3.16.0.

Authentication Bypass Typebot Io
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access credentials from arbitrary workspaces via the preview chat endpoint. The bot-engine's getCredentials() utility uses a falsy check on workspaceId, so supplying an empty string bypasses ownership validation entirely, enabling credential theft, external service abuse, and data breach. This is an incomplete fix for the prior advisory GHSA-4xc5-wfwc-jw47, and no public exploit has been identified at time of analysis though the patch commit is public.

Authentication Bypass Typebot Io
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a broken authorization check in the getLinkedTypebots API endpoint, constituting a classic IDOR. The root cause is a JavaScript async/await misuse: Array.filter() is synchronous, so passing it an async callback causes every bot to pass the filter - the isReadTypebotForbidden predicate is never actually evaluated. Sensitive data leaked includes embedded credentials, API keys, PII stored as variables, webhook URLs, and integration configurations from any other user's private workspace bots. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the exposure of hardcoded secrets elevates practical risk significantly beyond the 6.5 CVSS score suggests.

Authentication Bypass Typebot Io
NVD GitHub
EPSS 0%
This Week

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims' browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0.

XSS Typebot Io
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpReqUrl() SSRF filter by chaining an attacker-controlled HTTP 302 redirect, since the underlying ky and fetch clients follow redirects without re-validating the destination. This enables reaching AWS instance metadata at 169.254.169.254, private subnets, and container-internal services from the Typebot server, with realistic impact including theft of cloud IAM credentials. No public exploit identified at time of analysis, and the issue is fixed in version 3.16.0.

Open Redirect SSRF Typebot Io
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored XSS in Typebot's JavaScript viewer embed (packages/embeds/js) allows any authenticated bot author - including free-tier users - to inject arbitrary JavaScript into a visitor's browser by setting a rich text bubble link URL to a javascript: URI. When a visitor clicks the malicious link within an embedded bot, the payload executes in the host page's origin (S:C scope change), enabling exfiltration of cookies and session tokens from the embedding third-party site. No public exploit code or active exploitation is confirmed at time of analysis; a vendor-released patch is available in v3.16.0.

XSS Typebot Io
NVD GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSRF protections in Webhook and HTTP Request blocks by supplying attacker-controlled hostnames that resolve via DNS to loopback (127.0.0.1), cloud metadata (169.254.169.254), or RFC1918 private addresses. The validation logic only inspected the URL string and literal IP formats without performing DNS resolution, so a benign-looking domain could route the backend HTTP client to internal targets. No public exploit identified at time of analysis, though the GitHub Security Advisory and fix commit are publicly visible.

SSRF Typebot Io
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Server-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers to abuse the preview chat endpoint to make arbitrary internal HTTP requests from the server. The flaw stems from the isolated-vm sandbox's fetch function calling Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects HTTP Request blocks, bypassing mitigations added after GHSA-8gq9-rw7v-3jpr. No public exploit identified at time of analysis, but the CVSS 10.0 (Critical) score with scope-changed impact indicates severe risk for both self-hosted and hosted deployments.

Node.js Authentication Bypass SSRF +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collaborator-crafted bot to execute arbitrary HTML/JavaScript in the authenticated builder context via the RatingButton component's customIcon.svg field. Because the builder preview renders bots inline on builder.typebot.io under a CSP permitting 'unsafe-inline', successful exploitation enables session hijacking and privilege escalation within the SaaS builder, with no public exploit identified at time of analysis.

XSS Privilege Escalation Typebot Io
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read execution logs belonging to other workspaces by supplying an arbitrary victim resultId alongside their own authorized typebotId. The endpoint authorizes the caller by typebotId but fetches log records by resultId alone, skipping cross-ownership validation that all peer endpoints in the same router correctly enforce. Exploitation exposes sensitive runtime data including HTTP response bodies, AI model outputs, and webhook payloads. No public exploit or CISA KEV listing has been identified at time of analysis, but the straightforward nature of the IDOR - requiring only a valid session and a guessed or enumerated resultId - makes unauthorized data access realistic for any authenticated platform user.

Information Disclosure Authentication Bypass Typebot Io
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy