CVE-2025-65098
HIGH EPSS 21.6%
Published Jan 22, 20265mo ago · Modified Jun 17, 20261w ago
7.4 CVSS 3.1
Published Jan 22, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago
Description
Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
21.6% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 7
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-284
CWE-311
CWE-522
CWE-639
CWE-79 Cross-site Scripting Injection
CWE-862 Missing Authorization Authorization
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| typebot | typebot | * | <3.13.2 |
References 1
- github.com https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.