CVE-2026-39970 HIGH

CVE-2026-39970: TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form

Vendor Baptistearno

Product typebot.io

Weakness CWE-79 · XSS

Published May 22, 2026

Last update May 22, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims' browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0.

Key dates

02Disclosure timeline

May 22, 2026 CVE published

May 22, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-39970

Related vulnerabilities

CVE-2026-39970: TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Upload On Profile Picture Form

01Description

02Disclosure timeline

03References

04Related CVE