CVE-2025-65098

HIGH EPSS 21.6%
Published Jan 22, 20265mo ago · Modified Jun 17, 20261w ago
7.4 CVSS 3.1
High
Find Similar
Published Jan 22, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.

CVSS Details

Base Score
7.4
Exploitability
2.8
Impact
4.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
21.6% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 7

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-284
CWE-311
CWE-522
CWE-639
CWE-79 Cross-site Scripting Injection
CWE-862 Missing Authorization Authorization

Affected Products 1

VendorProductVersionRange
typebottypebot* <3.13.2

References 1

  • github.com https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47
    ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.