Cross-Site Scripting Vulnerability in rrweb-snapshot from rrweb
CVE-2025-45806

6.1MEDIUM

Key Information:

Vendor: rrweb
Status: rrweb-snapshot
Vendor: CVE Published:; 9 April 2026

What is CVE-2025-45806?

The rrweb-snapshot component is affected by a cross-site scripting (XSS) vulnerability that allows attackers to inject and execute arbitrary web scripts or HTML code through a specially crafted payload. This exposes users to potential data theft, session hijacking, or other malicious activities if exploited. Users of rrweb-snapshot versions prior to v2.0.0-alpha.18 should take immediate action to mitigate this vulnerability by upgrading to the latest version.

References

https://github.com/rrweb-io/rrweb

https://github.com/rrweb-io/rrweb/tree/master/packages/rr...

https://github.com/rrweb-io/rrweb/issues/1817

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 22, 2025

CVE-2025-45806 Data

JSON