Baptistearno Typebot.io
15 CVEs affecting Baptistearno Typebot.io. Latest disclosed: 2026-05-22. Critical: 2, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-33712 | Critical | 10.0 | 2026-05-22 | Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startChat) allows unauthe… |
CVE-2025-64709 | Critical | 9.6 | 2025-11-13 | Typebot is an open-source chatbot builder. In versions prior to 3.13.1, a Server-Side Request Forgery (SSRF) vulnerability in the Typebot webhook block (HTTP R… |
CVE-2026-28445 | High | 8.7 | 2026-05-22 | Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg fie… |
CVE-2024-30264 | High | 8.1 | 2024-04-04 | Typebot is an open-source chatbot builder. A reflected cross-site scripting (XSS) in the sign-in page of typebot.io prior to version 2.24.0 may allow an attack… |
CVE-2026-39965 | High | 7.7 | 2026-05-22 | TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain an SSRF via Open Redirect Bypass as the HTTP Request block and Code block validate the ini… |
CVE-2026-34207 | High | 7.6 | 2026-05-22 | TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostna… |
CVE-2025-65098 | High | 7.4 | 2026-01-22 | Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any… |
CVE-2026-39968 | High | 7.1 | 2026-05-22 | TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Au… |
CVE-2026-39969 | Medium | 6.5 | 2026-05-22 | TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentia… |
CVE-2026-39966 | Medium | 6.5 | 2026-05-22 | TypeBot is a chatbot builder tool. In versions 3.15.2, the getLinkedTypebots API endpoint returns full bot definitions to any authenticated user who references… |
CVE-2026-28444 | Medium | 6.5 | 2026-05-22 | Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetche… |
CVE-2026-39964 | Medium | 5.4 | 2026-05-22 | TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer (packages/embeds/js) renders anchor tags from rich text bubble content witho… |
CVE-2025-64706 | Medium | 5.0 | 2025-11-13 | Typebot is an open-source chatbot builder. In version 3.9.0 up to but excluding version 3.13.0, an Insecure Direct Object Reference (IDOR) vulnerability exists… |
CVE-2026-39967 | Low | 3.1 | 2026-05-22 | TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authen… |
CVE-2026-39970 | | 2026-05-22 | TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The… |