CVE-2026-45296
- EPSS 0.23%
- Veröffentlicht 28.05.2026 16:51:47
- Zuletzt bearbeitet 28.05.2026 18:40:37
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey...
CVE-2026-45297
- EPSS 0.21%
- Veröffentlicht 28.05.2026 16:50:38
- Zuletzt bearbeitet 28.05.2026 18:40:37
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch. ProjectAuthorizer.__call__ (OSS api/auth/auth_project.py:14-38 and EE ee/api/auth/...
CVE-2026-28443
- EPSS 0.34%
- Veröffentlicht 05.03.2026 20:53:17
- Zuletzt bearbeitet 17.03.2026 15:45:31
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0.
CVE-2023-48226
- EPSS 0.78%
- Veröffentlicht 21.11.2023 20:15:07
- Zuletzt bearbeitet 21.11.2024 08:31:15
OpenReplay is a self-hosted session replay suite. In version 1.14.0, due to lack of validation Name field - Account Settings (for registration looks like validation is correct), a bad actor can send emails with HTML injected code to the victims. Bad ...