VYPR

Openreplay

by OpenReplay

Source repositories

CVEs (4)

  • CVE-2026-45296HigMay 28, 2026
    risk 0.50cvss 7.7epss 0.00

    OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization…

  • CVE-2023-48226MedNov 21, 2023
    risk 0.42cvss 6.5epss 0.01

    OpenReplay is a self-hosted session replay suite. In version 1.14.0, due to lack of validation Name field - Account Settings (for registration looks like validation is correct), a bad actor can send emails with HTML injected code to the victims. Bad actors can use this to…

  • CVE-2026-45297MedMay 28, 2026
    risk 0.34cvss epss 0.00

    OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch. ProjectAuthorizer.__call__ (OSS api/auth/auth_project.py:14-38 and EE ee/api/auth/auth_project.py:14-46) only…

  • CVE-2026-28443Mar 5, 2026
    risk 0.00cvss epss 0.00

    OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0.