Description
A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Published: 2026-04-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary script execution in the victim's browser via cross‑site scripting
Action: Immediate Patch
AI Analysis

Impact

A cross‑site scripting weakness in the rrweb‑snapshot JavaScript library allows an attacker to construct a custom payload that is interpreted as executable script or markup when the library processes it. The vulnerability is classified as CWE‑79 and can lead to arbitrary code execution within the context of a victim’s browser session, potentially enabling theft of credentials, session hijacking, or defacement of content. The impact is limited to the user’s browser environment and does not directly affect the server or other users without the crafted payload.

Affected Systems

The flaw exists in rrweb‑snapshot prior to version 2.0.0‑alpha.18. All deployments that incorporate the library from the GitHub contributors list that reference older releases are potentially affected. No vendor-specific product licensing is listed, as the library is open‑source and distributed via GitHub.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, and the CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no known widespread exploitation. The EPSS score is not available, so the precise likelihood of attack remains uncertain. Attackers would most likely deliver a crafted payload through a stored or reflected input that is captured by rrweb‑snapshot and then rendered in a victim’s browser. Without an attack surface that triggers the library’s vulnerable path, exploitation is unlikely, but the presence of the flaw allows for significant damage if such an input path exists.

Generated by OpenCVE AI on April 9, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rrweb‑snapshot to version 2.0.0‑alpha.18 or later, ensuring the patch that closes the XSS issue is applied.
  • If an upgraded version cannot be released immediately, enable a strict Content Security Policy that disallows unsafe inline scripts and restricts allowed script sources to trusted domains.
  • Where possible, validate and sanitize all data that will be passed to rrweb‑snapshot before it is processed, removing any user‑supplied HTML tags or script elements.
  • Monitor application logs for unexpected or malformed payloads that might be attempting to exploit the library, and block or quarantine such traffic if detected.

Generated by OpenCVE AI on April 9, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Rrweb-io
Rrweb-io rrweb
Vendors & Products Rrweb-io
Rrweb-io rrweb

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
References

Subscriptions

Rrweb-io Rrweb
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T14:50:42.343Z

Reserved: 2025-04-22T00:00:00.000Z

Link: CVE-2025-45806

cve-icon Vulnrichment

Updated: 2026-04-09T14:50:38.202Z

cve-icon NVD

Status : Received

Published: 2026-04-09T14:16:25.210

Modified: 2026-04-09T16:16:25.393

Link: CVE-2025-45806

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:33:17Z

Weaknesses