Description
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0.
Published: 2026-03-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing unauthorized database access or modification
Action: Update to v1.20.0
AI Analysis

Impact

OpenReplay’s POST /{projectId}/cards/search endpoint contains a SQL injection through the unvalidated sort.field parameter. An attacker can inject arbitrary SQL statements, potentially reading, modifying, or deleting data stored in the database, including sensitive session information. The weakness is a classic injection flaw, classified as CWE‑89.

Affected Systems

OpenReplay is affected for all self‑hosted instances running any version prior to 1.20.0. The flaw exists in the openreplay openreplay product and is present in all installations exposing the cards/search API, regardless of deployment size or configuration.

Risk and Exploitability

The CVSS score of 6.9 denotes a medium severity vulnerability. The EPSS score is below 1%, indicating a low probability of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog. Attackers would need network access to the API endpoint and the capability to supply a malicious sort.field value, typically via HTTP POST requests. Successful exploitation would allow unauthorized data reads or modifications, compromising confidentiality and integrity of the stored data.

Generated by OpenCVE AI on April 16, 2026 at 12:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenReplay installation to version 1.20.0 or later to apply the vendor fix.
  • Validate and whitelist acceptable values for the sort.field parameter in the application code to ensure only predefined sorting options are accepted.
  • Configure network or application firewalls to detect and block suspicious payloads containing SQL injection patterns on the cards/search endpoint.
  • Monitor access logs for repeated attempts to inject malicious input into the sort.field parameter and investigate any anomalies.

Generated by OpenCVE AI on April 16, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openreplay:openreplay:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Openreplay
Openreplay openreplay
Vendors & Products Openreplay
Openreplay openreplay

Thu, 05 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0.
Title OpenReplay: SQL injection in cards/search via unvalidated sort field parameter
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openreplay Openreplay
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:08:11.944Z

Reserved: 2026-02-27T15:54:05.140Z

Link: CVE-2026-28443

cve-icon Vulnrichment

Updated: 2026-03-06T16:08:07.360Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T21:16:22.483

Modified: 2026-03-17T15:45:31.737

Link: CVE-2026-28443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses