CVE-2026-28445 Overview
CVE-2026-28445 is a stored cross-site scripting (XSS) vulnerability in Typebot, an open-source chatbot builder. The flaw affects versions 3.15.2 and prior. The RatingButton component in the embed package renders the user-controlled customIcon.svg field directly through Solid's innerHTML directive without sanitization. A malicious imported or collaborator-crafted typebot can execute arbitrary HTML and JavaScript in the builder's authenticated context. This enables session hijacking and privilege escalation within the builder application. The issue is tracked under [CWE-79] and was fixed in version 3.16.0.
Critical Impact
Attackers can execute arbitrary JavaScript in the builder's authenticated origin (builder.typebot.io), hijack sessions, and escalate privileges by tricking users into importing a crafted typebot or collaborating on one.
Affected Products
- Typebot versions 3.15.2 and prior
- @typebot.io/embed package (RatingButton component)
- Typebot builder preview rendering on builder.typebot.io
Discovery Timeline
- 2026-05-22 - CVE CVE-2026-28445 published to NVD
- 2026-05-22 - Last updated in NVD database
Technical Details for CVE-2026-28445
Vulnerability Analysis
The vulnerability resides in the RatingButton component of Typebot's embed package. The component renders the customIcon.svg field, which is fully attacker-controlled, directly via Solid's innerHTML directive. DOMPurify is already a dependency and is used elsewhere in the codebase, including in StreamingBubble.tsx, but it is not applied to rating block icons. The import sanitizer does not flag rating blocks as isUnsafe, so malicious payloads pass through unfiltered.
The builder preview renders bots inline on the builder's own origin, builder.typebot.io. The Content Security Policy on that origin permits 'unsafe-inline', which allows injected inline scripts and event handlers to execute. Script blocks during preview are sandboxed inside a Web Worker, but the RatingButton rendering path bypasses this sandbox entirely. The result is arbitrary HTML and JavaScript execution in the authenticated builder context.
Root Cause
The root cause is missing output encoding on a user-controlled SVG payload. The customIcon.svg value flows directly into an innerHTML sink without invoking DOMPurify or any equivalent sanitizer. The import-side allowlist does not classify the rating block as unsafe, so server-side validation does not compensate for the client-side sink.
Attack Vector
An attacker crafts a typebot containing a rating block with a malicious customIcon.svg payload, such as an SVG element embedding <script> or onload handlers. The attacker shares the typebot for import or collaborates on a workspace with the victim. When the victim opens the builder preview, the payload executes in the builder.typebot.io origin under the victim's authenticated session. The attacker can then exfiltrate session tokens, call privileged builder APIs, or modify other typebots owned by the victim.
No verified public exploit code is available. For technical details, see the GitHub Security Advisory GHSA-6m7c-xfhp-p9fh and the GitHub Commit Details.
Detection Methods for CVE-2026-28445
Indicators of Compromise
- Rating blocks containing <script>, onload, onerror, or javascript: strings inside the customIcon.svg field of stored typebot definitions.
- Outbound requests from builder.typebot.io sessions to unfamiliar domains shortly after a typebot import or preview.
- Unexpected builder API calls, workspace modifications, or invitation events tied to a recently imported typebot.
Detection Strategies
- Scan stored typebot JSON for rating blocks whose customIcon.svg field contains HTML tags, event handler attributes, or script-related keywords.
- Review audit logs for typebot imports and collaborator additions immediately preceding privilege changes or token reuse anomalies.
- Inspect browser CSP violation reports from builder.typebot.io for inline script activity originating in preview iframes.
Monitoring Recommendations
- Monitor Typebot package versions across self-hosted deployments and alert on any instance running 3.15.2 or earlier.
- Log all typebot import operations with the importing user, source, and a hash of the imported document for forensic review.
- Track unusual session activity for builder accounts, including new API keys, workspace transfers, and bulk typebot edits.
How to Mitigate CVE-2026-28445
Immediate Actions Required
- Upgrade Typebot to version 3.16.0 or later on all self-hosted and managed deployments.
- Audit recently imported typebots and shared workspaces for rating blocks with suspicious customIcon.svg content and remove them.
- Rotate session tokens and API keys for builder accounts that previewed untrusted typebots while running affected versions.
Patch Information
The maintainer fixed the issue in Typebot 3.16.0. The fix applies DOMPurify sanitization to the customIcon.svg rendering path in the RatingButton component. See GitHub Release v3.16.0 and the patch commit 474ecbf46bc47a75265bada2599f12b2179de375.
Workarounds
- Restrict typebot imports to trusted users and disable import from untrusted sources until the upgrade is complete.
- Limit collaborator invitations and review existing collaborators on sensitive workspaces.
- Tighten the builder origin Content Security Policy to remove 'unsafe-inline' where feasible to reduce inline script execution risk.
# Configuration example
# Upgrade self-hosted Typebot via Docker Compose
docker compose pull
docker compose up -d
# Verify the running version is 3.16.0 or later
docker exec -it typebot-builder node -e "console.log(require('./package.json').version)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

