Threat Intelligence Database

TypeBot versions 3.16.1 and earlier have an unauthenticated path traversal vulnerability in the file upload URL generation endpoint. This allows anonymous users to upload attacker-controlled files to arbitrary subpaths within the storage, potentially enabling arbitrary content hosting and stored cross-site scripting (XSS). The issue is fixed in version 3.17.0.

TypeBot versions prior to 3.17.2 contain a Server-Side Request Forgery (SSRF) vulnerability due to a time-of-check to time-of-use (TOCTOU) flaw in hostname resolution. The SSRF protection validates the hostname by resolving it once, but the actual request resolves the hostname again, allowing DNS rebinding attacks to bypass validation. This can lead to unauthorized server-side requests to internal network services or cloud metadata endpoints. The vulnerability is fixed in version 3.17.2.

TypeBot versions 3.15.2 and below have an authorization bypass vulnerability (CWE-639) allowing authenticated users to modify or delete theme templates across workspaces due to improper validation in theme template handlers. This issue is fixed in version 3.16.0.

TypeBot versions 3.16.0 and earlier have an improper authentication vulnerability in the WhatsApp Cloud API webhook endpoint. The endpoint does not verify the x-hub-signature-256 HMAC signature that Meta includes in webhook deliveries. Because the webhook URL exposes workspaceId and credentialsId in the path, which are logged and visible in multiple places, an unauthenticated attacker can send spoofed webhook messages. This can trigger bot flows, consume API resources, and interact with external services using the workspace owner's credentials. The issue is fixed in version 3.17.0.

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a different typebot by supplying a foreign resultId to the startChat endpoint. Exploitation is constrained by CUID2's cryptographically random 24-character IDs (making brute-force infeasible), the requirement that rememberUser be enabled, and the need for matching variable names in the current typebot. If successfully exploited, an attacker can access the original user's previous answers, session variable values, and hasStarted flag, potentially exposing PII like names, emails, and phone numbers. This issue has been fixed in version 3.16.0.

TypeBot versions 3.15.2 and earlier contain a critical stored cross-site scripting (XSS) vulnerability in the profile picture upload form. The application does not properly sanitize SVG/XML uploads, allowing attackers to upload malicious SVG files with embedded JavaScript. This payload is persistently stored and publicly accessible, enabling execution of arbitrary JavaScript in users' browsers. Exploitation can lead to session theft, account takeover, and data exfiltration. The vulnerability is fixed in version 3.16.0.

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Authorization Bypass") is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the bot-engine runtime still allows any authenticated user to use credentials from any workspace via the preview chat endpoint. The bot-engine's getCredentials() utility function uses a falsy check (if (workspaceId && ...)) for workspace ownership validation. Since the preview endpoint accepts a client-controlled workspaceId field and the Zod schema allows empty strings, an attacker can supply workspaceId: "" to bypass credential ownership verification entirely. Exploitation can result in credential exfiltration, external service abuse, financial damage and a data breach.

TypeBot is a chatbot builder tool. In versions 3.15.2, the getLinkedTypebots API endpoint returns full bot definitions to any authenticated user who references a target bot ID in a Typebot Link block, regardless of workspace ownership, leading to IDOR. The authorization check uses Array.filter() with an async callback — since filter() is synchronous, the callback always returns a truthy Promise, so the access control predicate is never actually evaluated. Any authenticated Typebot user can read the full definition of any other workspace's private bots, including: all conversation blocks and logic flow, variable values embedded in the bot (credentials, API keys, PII), webhook URLs and integration configurations. This issue has been fixed in version 3.16.0.

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain an SSRF via Open Redirect Bypass as the HTTP Request block and Code block validate the initial request URL via validateHttpReqUrl() to block private IPs and cloud metadata hostnames. However, the HTTP clients (ky and fetch) follow 302 redirects without re-validating the redirect destination. An authenticated user can point a bot block to an attacker-controlled server that responds with a redirect to an internal IP, causing the Typebot server to reach internal services. An authenticated Typebot user can reach AWS metadata (169.254.169.254), private subnets, and container-internal services. Exploitable to extract cloud IAM credentials or probe internal APIs inaccessible from the internet. This issue has been fixed in version 3.16.0.

CVE-2026-39964 is a cross-site scripting (XSS) vulnerability in TypeBot versions prior to 3.16.0. The vulnerability arises because the Typebot viewer renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. An attacker can craft a bot with a link containing a javascript: payload that executes in the visitor's browser when clicked. Since the viewer is embedded in third-party sites, the malicious script runs in the host page's origin, potentially allowing cookie and session token theft. This affects any authenticated Typebot user who can create bots, including free tier users. The issue was fixed in version 3.16.0.