CVE-2026-39970

HIGH

TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form

Title source: cna

Description

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims' browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-jj87-c343-26vp

X_Refsource_Misc x_refsource_misc

https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0

Scores

CVSS v4 8.5

EPSS 0.0036

EPSS Percentile 27.3%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

baptisteArno/typebot.io < 3.16.0

Published May 22, 2026

Tracked Since May 23, 2026