CVE Catalog

CVE-2026-48768

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

TypeBot is a chatbot builder tool that in versions 3.16.1 and earlier has an unauthenticated endpoint for generating upload URLs. This allows anonymous users to upload malicious HTML, SVG, or JS files, potentially leading to stored XSS.

Risk Assessment

Organizations may be exposed to XSS attacks and malicious content hosting, which can impact data security and company reputation.

Recommendation

It is recommended to update TypeBot to version 3.17.0 to mitigate this vulnerability and implement additional authorization mechanisms for API endpoints.

Original NVD description (English source)

TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any anonymous visitor to a published bot with a file input can upload attacker-controlled HTML, SVG, or JS to attacker-chosen subpaths, including other tenants’ publicly served result paths, enabling arbitrary content hosting and potential stored XSS on the storage origin. ../ traversal is blocked by S3/MinIO canonicalization (signature mismatch), but forward-slash path injection is exploitable. This issue has been fixed in version 3.17.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS