PT-2026-23518 · Unknown · Openreplay
Q1Uf3Ng
·
Published
2026-03-05
·
Updated
2026-03-25
·
CVE-2026-28443
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenReplay versions prior to 1.20.0
Description
OpenReplay is a self-hosted session replay suite. The
/{projectId}/cards/search API endpoint has a SQL injection issue in the sort.field parameter for versions before 1.20.0. The issue allows for potential unauthorized database access or modification through manipulation of the sort.field parameter in the specified API endpoint.Recommendations
Update to version 1.20.0 or later.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openreplay