CVE Catalog

CVE-2026-48759

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

TypeBot is a chatbot builder tool that has an Insecure Direct Object Reference vulnerability in versions 3.15.2 and below. This allows authenticated users to modify or delete theme templates from other workspaces.

Risk Assessment

The organization may be exposed to unauthorized changes in theme templates, potentially leading to data loss or privacy breaches. Additionally, the exposure of template IDs may increase the risk of attacks.

Recommendation

It is recommended to upgrade TypeBot to version 3.16.0 to eliminate this vulnerability. A user access audit for theme templates should also be conducted.

Original NVD description (English source)

TypeBot is a chatbot builder tool. Versions 3.15.2 and below have an Insecure Direct Object Reference vulnerability through cross-workspace Theme Template modification and deletion. The handleSaveThemeTemplate and handleDeleteThemeTemplate handlers validate that the authenticated user is a non-guest member of the provided workspaceId, but then operate on themeTemplateId via Prisma queries that do NOT include workspaceId in the WHERE clause. This allows any authenticated user to modify or delete theme templates belonging to any other workspace and may expose Template IDs via shared typebots or network traffic. This issue has been fixed in version 3.16.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS