CVE-2026-39970
published 2026-05-22CVE-2026-39970: TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The…
PriorityP347high8.5CVSS 4.0
AVNACLATNPRLUIPVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.28%
19.3th percentile
TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims' browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| baptistearno | typebot.io | < 3.16.0 | 3.16.0 |
CVSS provenance
nvdv4.08.5HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cvelistv5v4.08.5HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
baptisteArno typebot.io up to 3.15.x SVG File cross site scripting (GHSA-jj87-c343-26vp)
vuldb·2026-05-23
CVE-2026-39970 [LOW] baptisteArno typebot.io up to 3.15.x SVG File cross site scripting (GHSA-jj87-c343-26vp)
A vulnerability, which was classified as problematic, has been found in baptisteArno typebot.io up to 3.15.x. The affected element is an unknown function of the component SVG File Handler. The manipulation leads to cross site scripting.
This vulnerability is documented as CVE-2026-39970. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
CVEList
TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form
cvelistv5·2026-05-22·CVSS 8.5
CVE-2026-39970 [HIGH] CWE-79 TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form
TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form
TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published