Package impact
npm / @typebot.io/js
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-28445 | high | 8.7 | 8.7 | 7d ago | Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview | |||
| CVE-2026-39964 | medium | 5.4 | 5.4 | 7d ago | Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers | |||
| CVE-2025-65098 | unknown | — | — | 4mo ago | Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass |