PT-2026-42817 · Typebot · Typebot
Published
2026-05-22
·
Updated
2026-05-26
·
CVE-2026-39964
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
TypeBot versions prior to 3.16.0
Description
The Typebot viewer renders anchor tags from rich text bubble content without filtering the
javascript: URI scheme. This allows a bot author to set a link URL containing a malicious payload that executes in the visitor's browser context upon being clicked. Because the viewer is commonly embedded in third-party websites, the executed JavaScript runs within the host page's origin, enabling the exfiltration of cookies and session tokens. This issue affects the packages/embeds/js component, specifically within the PlateBlock.tsx and ImageBubble.tsx files, where the href attribute is set directly from stored bot content without sanitization.Recommendations
Update to version 3.16.0.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Typebot