CVE-2026-28445
CVE-2026-28445 affects Typebot up to version 3.15.2, where the RatingButton embed component renders user-controlled customIcon.svg via Solid innerHTML without sanitization, despite DOMPurify being present elsewhere. Because rating blocks aren’t flagged as unsafe by the import sanitizer and the bu...