Stored XSS Vulnerability in TypeBot Chatbot Builder Tool
CVE-2026-39970

8.5HIGH

Key Information:

Vendor: Baptistearno
Status: Typebot.io
Vendor: CVE Published:; 22 May 2026

🔔 Create Baptistearno Vulnerability Alert

What is CVE-2026-39970?

TypeBot, the chatbot builder tool, contains a stored XSS vulnerability in its profile picture upload form, affecting versions 3.15.2 and earlier. The application inadequately sanitizes SVG/XML uploads, allowing attackers to upload malicious SVG files embedded with JavaScript. When a victim accesses these files through the app's domain, the embedded script executes, potentially granting attackers unauthorized access to user accounts, session tokens, and sensitive data. This vulnerability highlights the importance of proper input validation and output escaping in web applications. The issue has been resolved in version 3.16.0, which addresses the flaws in the upload functionality.

Affected Version(s)

typebot.io < 3.16.0

References

https://github.com/baptisteArno/typebot.io/security/advis...

x_refsource_CONFIRM

https://github.com/baptisteArno/typebot.io/releases/tag/v...

x_refsource_MISC

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
Apr 8, 2026

CVE-2026-39970 Data

JSON