SQL Injection Vulnerability in OpenReplay Session Replay Suite
CVE-2026-28443
6.9MEDIUM
What is CVE-2026-28443?
OpenReplay is a self-hosted session replay suite that allows organizations to monitor user interactions on their applications. Prior to version 1.20.0, the platform contained a vulnerability in the POST /{projectId}/cards/search endpoint, where improper validation of the sort.field parameter made it susceptible to SQL injection attacks. This flaw could potentially allow attackers to execute arbitrary SQL queries, risking data integrity and exposing sensitive information. The vulnerability has been addressed in version 1.20.0, which users are strongly encouraged to upgrade to in order to ensure the security of their applications.
Affected Version(s)
openreplay < 1.20.0
