JavaScript Injection Vulnerability in TypeBot by Typebot
CVE-2026-39964

5.4MEDIUM

Key Information:

Vendor

Baptistearno

Status
Typebot.io
Vendor
CVE Published:
22 May 2026

What is CVE-2026-39964?

The TypeBot application, a tool designed for building chatbots, contains a vulnerability that allows the inclusion of malicious JavaScript within links rendered by its viewer in versions prior to 3.16.0. When users click these links, which are crafted by bot authors using the 'javascript:' URI scheme, the embedded JavaScript executes within the browser context of the visitor. This creates an opportunity for attackers to extract sensitive data, including cookies and session tokens, from unsuspecting users. Given that the TypeBot viewer is often embedded in third-party websites, the malicious code runs under the origin of these sites, bypassing typical security measures. This vulnerability is especially concerning as it allows for exploitation of any authenticated Typebot user without requiring victim authentication, rendering shared bots publicly accessible. The issue has been addressed and resolved in version 3.16.0.

Affected Version(s)

typebot.io < 3.16.0

References

https://github.com/baptisteArno/typebot.io/security/advis...
x_refsource_CONFIRM
https://github.com/baptisteArno/typebot.io/commit/2c3fc72...
x_refsource_MISC
https://github.com/baptisteArno/typebot.io/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.