PT-2026-42817 · Typebot · Typebot

Published

2026-05-22

·

Updated

2026-05-26

·

CVE-2026-39964

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.16.0
Description The Typebot viewer renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. This allows a bot author to set a link URL containing a malicious payload that executes in the visitor's browser context upon being clicked. Because the viewer is commonly embedded in third-party websites, the executed JavaScript runs within the host page's origin, enabling the exfiltration of cookies and session tokens. This issue affects the packages/embeds/js component, specifically within the PlateBlock.tsx and ImageBubble.tsx files, where the href attribute is set directly from stored bot content without sanitization.
Recommendations Update to version 3.16.0.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-39964
GHSA-HQMV-V56G-4M47

Affected Products

Typebot