CVE-2026-49213 is a high-severity vulnerability in TypeBot's shared SSRF validator. Prior to version 3.17.2, the validator can be bypassed using the IPv6 unspecified address ::. This allows a workspace editor or creator to configure a server-side HTTP Request block or guarded script fetch to make the Typebot server connect to local HTTP services through safeKy, potentially leading to unauthorized access o [truncated]
CVE-2026-48768 is a critical vulnerability in TypeBot, a chatbot builder tool. Versions 3.16.1 and earlier are affected. The vulnerability allows unauthenticated file uploads, enabling arbitrary content hosting and potential stored XSS. This issue has been fixed in version 3.17.0. Affected users should update to version 3.17.0 or later to mitigate this vulnerability.
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T00:16:23.363Z and has not been modified since then. TypeBot, a chatbot builder tool, had a SSRF validation bypass vulnerability in versions prior to 3.17.2. The issue was caused by a time-of-check to time-of-use gap in the SSRF guard, allowing for DNS rebinding attacks. This could lead to server- [truncated]
CVE-2026-48759 is a HIGH-severity vulnerability in TypeBot, a chatbot builder tool. Versions 3.15.2 and below are affected by an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability allows any authenticated user to modify or delete theme templates belonging to any other workspace. The issue arises from the handleSaveThemeTemplate and handleDeleteThemeTemplate handlers, which validate [truncated]
CVE-2026-39968 describes an incomplete authorization fix in TypeBot, a chatbot builder tool. The vulnerability affects versions 3.15.2 and prior, where a patch for GHSA-4xc5-wfwc-jw47 failed to fully secure credential access controls. While the builder's getCredentials tRPC endpoint received workspace membership checks, the bot-engine runtime's preview chat endpoint remained vulnerable. The bot-engine's g [truncated]
TypeBot is an open-source chatbot builder platform. CVE-2026-39967 identifies an authorization flaw in the bot engine's `findResult` query where result data retrieval is not properly scoped to the requesting `typebotId`. An authenticated attacker with knowledge of a valid foreign `resultId` can supply this identifier to the `startChat` endpoint and retrieve prior session data—including user answers, varia [truncated]