{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-05T09:33:33.052","vulnerabilities":[{"cve":{"id":"CVE-2025-65098","sourceIdentifier":"security-advisories@github.com","published":"2026-01-22T15:16:48.370","lastModified":"2026-01-30T14:32:00.327","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking \"Run\", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue."},{"lang":"es","value":"Typebot es un creador de chatbots de código abierto. En versiones anteriores a la 3.13.2, la ejecución de scripts del lado del cliente en Typebot permite robar todas las credenciales almacenadas de cualquier usuario. Cuando una víctima previsualiza un typebot malicioso al hacer clic en 'Run', JavaScript se ejecuta en su navegador y exfiltra sus claves de OpenAI, tokens de Google Sheets y contraseñas SMTP. El endpoint `/api/trpc/credentials.getCredentials` devuelve claves API en texto plano sin verificar la propiedad de las credenciales. La versión 3.13.2 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"},{"lang":"en","value":"CWE-200"},{"lang":"en","value":"CWE-284"},{"lang":"en","value":"CWE-311"},{"lang":"en","value":"CWE-522"},{"lang":"en","value":"CWE-639"},{"lang":"en","value":"CWE-862"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-79"},{"lang":"en","value":"CWE-522"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:typebot:typebot:*:*:*:*:*:-:*:*","versionEndExcluding":"3.13.2","matchCriteriaId":"C9C0CE68-9A17-446B-B206-5821B6DB884D"}]}]}],"references":[{"url":"https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}}]}