External risk intelligence

Typebot Arbitrary Content Upload and Stored XSS via Unauthenticated File Input

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-48768

An unauthenticated vulnerability in TypeBot allows anonymous visitors to upload malicious files. This could lead to arbitrary content hosting and cross-site scripting attacks on the storage origin. Please confirm if TypeBot is used within your organization.

Path Traversal

Halo Surface Signal

Very likely · external exposure

5Halo Surface Signal

TypeBot is a chatbot builder tool designed to be embedded in public websites. The vulnerable endpoint is part of a public-facing bot interface used to interact with anonymous visitors, making it accessible by design to any user on the internet.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in TypeBot, a tool used for building chatbots. The issue, if exploited, could allow anonymous visitors to upload malicious files, potentially leading to the hosting of arbitrary content and stored cross-site scripting attacks. The main concern is confirming relevance and exposure to understand the potential impact.

Unauthenticated file uploads can host malicious content.
Critical flaw allows arbitrary content hosting and XSS.
Verify if this chatbot tool is used within the organization.

Attack Path

How an attacker could exploit the issue

An attacker can leverage an unauthenticated API endpoint to upload malicious files to a TypeBot instance. This allows for arbitrary content hosting on cloud storage, potentially leading to cross-site scripting attacks that affect the storage origin.

No authentication required.
Uploading files via a public API.
Arbitrary content hosting and XSS.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, anonymous visitors to published TypeBot bots with file inputs could upload HTML, SVG, or JavaScript to public storage locations. This could lead to the hosting of arbitrary content and potential cross-site scripting attacks originating from the storage service.

Publicly accessible bot files.
Uploading malicious content via a public endpoint.
Stored XSS on storage origin.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners responsible for TypeBot instances should prioritize identifying all deployed instances and confirming their reachability and business criticality. This initial assessment will inform the accountable owner and guide the subsequent remediation plan based on the identified risk.

Application owners, Platform teams.
Verify public bot reachability and S3 bucket configuration.
Plan remediation during the next maintenance window.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-48768 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in TypeBot allows unauthenticated attackers to upload arbitrary content, potentially leading to stored cross-site scripting (XSS) and impacting the security of web applications.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is TypeBot?

TypeBot is a chatbot builder platform that enables users to create conversational interfaces. Organizations frequently embed these chatbots into their public-facing websites or applications to interact with visitors and collect data, such as through file-upload prompts.

What does CVE-2026-48768 mean for my security?

This CVE describes a flaw involving improper input validation (CWE-22) and cross-site scripting (CWE-79). Because the software fails to properly check file names or restrict content types during an upload process, an unauthorized user can store malicious web files—like scripts—on your storage server, which may then execute in a visitor's browser.

How does an attacker trigger this vulnerability?

An attacker uses a specific, unauthenticated API endpoint within TypeBot to upload files. While the system prevents path traversal attempts like using '..' to move between folders, it does not stop attackers from using forward slashes to control the file path, allowing them to place malicious files in locations where they can be accessed publicly.

Is my instance at risk?

According to Halo Surface Signal, this vulnerability is highly relevant if you use TypeBot because the tool is designed to be embedded in public websites. Since the vulnerable endpoint is intended for use by anonymous visitors, any instance exposed to the internet is accessible by design, regardless of how you have configured your internal storage buckets.

How do I fix this issue?

You should verify if you are running TypeBot version 3.16.1 or earlier. If you are, the required action is to update your software to version 3.17.0 or newer. Begin by identifying all instances of TypeBot within your environment and plan to apply this update as soon as possible to secure your file-upload endpoints.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.