CVE-2026-39964 Overview
CVE-2026-39964 is a stored Cross-Site Scripting (XSS) vulnerability in Typebot, an open-source chatbot builder tool. The flaw exists in the Typebot viewer component (packages/embeds/js) in versions prior to 3.16.0. The viewer renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser when clicked. Because the viewer is typically embedded in third-party sites, the injected script runs in the host page's origin and can exfiltrate cookies and session tokens. The issue is fixed in version 3.16.0.
Critical Impact
Any authenticated Typebot user, including free-tier accounts, can craft a shared bot containing a javascript: link that executes attacker-controlled code in the origin of any embedding site, enabling cookie and session token theft without victim authentication.
Affected Products
- Typebot (baptisteArno/typebot.io) — versions prior to 3.16.0
- Typebot viewer component packages/embeds/js
- Any third-party website embedding a vulnerable Typebot viewer
Discovery Timeline
- 2026-05-22 - CVE-2026-39964 published to NVD
- 2026-05-23 - Last updated in NVD database
Technical Details for CVE-2026-39964
Vulnerability Analysis
The vulnerability is a stored Cross-Site Scripting (XSS) issue classified as [CWE-79]. Typebot's rich text bubble feature allows bot authors to attach hyperlinks to text. The viewer renders these hyperlinks as HTML <a> elements using the author-supplied URL directly in the href attribute. The renderer does not validate or filter the URI scheme before output.
An attacker who controls a bot can supply a URL beginning with javascript: followed by arbitrary code. When a visitor clicks the link, the browser evaluates the JavaScript in the context of the embedding page. Because Typebot viewers are commonly embedded into third-party customer sites, the script executes in that site's origin and can access document cookies, localStorage, and session tokens.
Exploitation requires user interaction (a click) and low privileges (a free-tier Typebot account). Shared bots are publicly accessible, so victim authentication to Typebot is not required.
Root Cause
The root cause is missing input sanitization on the URL field of anchor elements rendered from rich text bubble content. The viewer component in packages/embeds/js accepts any string as a link target and inserts it into the href attribute without an allowlist for safe URI schemes such as http, https, or mailto. The javascript: pseudo-protocol is therefore preserved through rendering.
Attack Vector
An attacker creates a Typebot account, builds a bot with a text bubble containing a hyperlink, and sets the link URL to a javascript: payload that reads document.cookie and exfiltrates it to an attacker-controlled endpoint. The attacker then shares the bot link or relies on the bot being embedded in a target site. When a visitor interacts with the bot and clicks the link, the payload runs in the host page's origin, allowing theft of session cookies and authentication tokens. Refer to the GitHub Security Advisory GHSA-hqmv-v56g-4m47 and the GitHub Commit Log for the technical fix details.
Detection Methods for CVE-2026-39964
Indicators of Compromise
- Anchor tags in Typebot rich text content with href values starting with javascript:, data:, or vbscript:.
- Outbound requests from embedding pages to unfamiliar domains immediately following user clicks inside a Typebot widget.
- Unexpected session token or cookie exposure in browser network telemetry on pages hosting the Typebot viewer.
- Typebot viewer bundle versions older than 3.16.0 deployed in production embeds.
Detection Strategies
- Inspect stored bot definitions in the Typebot database for link fields containing scheme prefixes other than http, https, or mailto.
- Enable Content Security Policy (CSP) reporting on sites embedding Typebot to surface script-src and inline violations triggered by javascript: URI execution.
- Review web application firewall (WAF) and browser telemetry for anomalous document.cookie access patterns originating from embedded chatbot components.
Monitoring Recommendations
- Audit the packages/embeds/js viewer version deployed across all embedding domains and confirm the version is 3.16.0 or later.
- Monitor for outbound cookie or token exfiltration to non-allowlisted destinations from pages hosting third-party widgets.
- Track new Typebot bot creations and flag bots containing link content with non-standard URI schemes for review.
How to Mitigate CVE-2026-39964
Immediate Actions Required
- Upgrade Typebot to version 3.16.0 or later across all self-hosted deployments and update embedded viewer bundles on third-party sites.
- Audit existing bots for link fields containing javascript:, data:, or vbscript: URI schemes and remove or replace offending entries.
- Rotate session cookies and authentication tokens for sites that have embedded vulnerable Typebot viewers and may have been visited by untrusted bot links.
Patch Information
The vulnerability is resolved in Typebot version 3.16.0. The fix adds URI scheme filtering for anchor tags rendered from rich text bubble content. See the GitHub Release v3.16.0 and the corresponding GitHub Commit Log for patch contents.
Workarounds
- If immediate upgrade is not feasible, restrict bot creation to trusted users and disable public sharing of bots authored by untrusted accounts.
- Deploy a strict Content Security Policy on embedding sites that disallows inline script execution and unsafe URI schemes.
- Proxy or sanitize bot link content at the application layer to strip non-http(s) URI schemes before rendering.
# Example: upgrade Typebot via npm in a self-hosted deployment
npm install @typebot.io/js@^3.16.0
# Or pin viewer bundle in HTML embed to v3.16.0+
# <script src="https://cdn.jsdelivr.net/npm/@typebot.io/js@3.16.0/dist/web.js"></script>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

