SQL Injection Vulnerability in OpenReplay Session Replay Suite
CVE-2026-28443

6.9MEDIUM

Key Information:

Vendor

Openreplay

Vendor
CVE Published:
5 March 2026

What is CVE-2026-28443?

OpenReplay is a self-hosted session replay suite that allows organizations to monitor user interactions on their applications. Prior to version 1.20.0, the platform contained a vulnerability in the POST /{projectId}/cards/search endpoint, where improper validation of the sort.field parameter made it susceptible to SQL injection attacks. This flaw could potentially allow attackers to execute arbitrary SQL queries, risking data integrity and exposing sensitive information. The vulnerability has been addressed in version 1.20.0, which users are strongly encouraged to upgrade to in order to ensure the security of their applications.

Affected Version(s)

openreplay < 1.20.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.