CVE-2026-28443
OpenReplay: SQL injection in cards/search via unvalidated sort field parameter
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0.
| CWE | CWE-89 |
| Vendor | openreplay |
| Product | openreplay |
| Published | Mar 5, 2026 |
| Last Updated | Mar 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for openreplay openreplay
Be the first to know when new unknown vulnerabilities affecting openreplay openreplay are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
openreplay / openreplay
< 1.20.0