What happened
TypeBot versions 3.16.1 and earlier (CVSS 9.3 CRITICAL, NVD June 18, 2026) expose an unauthenticated endpoint POST /api/blocks/file-input/v3/generate-upload-url that uses unsanitised fileName input to construct public/ S3 object keys and issues presigned PUT URLs that do not bind Content-Type. Any anonymous user can supply a crafted fileName to write arbitrary content to arbitrary S3 subpaths, enabling arbitrary content hosting and stored XSS on the storage origin. Fixed in TypeBot 3.17.0.
Why it matters
TypeBot is a widely deployed open-source chatbot builder used to create AI-powered conversational flows. This unauthenticated file write allows attackers to inject malicious JavaScript into the chatbot's S3 storage origin, enabling stored XSS attacks against all users who interact with TypeBot-powered chatbots — potentially stealing session tokens, credentials, or conversational data from chatbot users at scale.
Attack vector
Unauthenticated attacker POSTs to /api/blocks/file-input/v3/generate-upload-url with a crafted fileName containing path traversal sequences. Receives a presigned S3 PUT URL and uploads malicious JavaScript to an arbitrary path under the public/ prefix, enabling stored XSS.
Affected systems
TypeBot (typebot.io) ≤ 3.16.1
Mitigation
Upgrade to TypeBot 3.17.0. See release: https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0