Skip to main content

OpenReplay CVE-2026-55879

| EUVDEUVD-2026-43030 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 GitHub_M
9.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
9.3 CRITICAL

Unauthenticated injection via public project key (PR:N) over the network, but a dashboard operator must view the session (UI:R); XSS crosses from SDK into dashboard origin (S:C) enabling JWT theft and account takeover (C:H/I:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 22:02 EUVD
Analysis Generated
Jul 10, 2026 - 21:35 vuln.today

DescriptionCVE.org

OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the OpenReplay tracking SDK accepts custom event names and captured page URLs from any visitor using a public project key, stores them in ClickHouse without output encoding, and later renders them in the authenticated dashboard through TextEllipsis and the event-details modal, allowing an unauthenticated attacker to store script that executes in the dashboard origin, reads the session JWT from localStorage, and takes over a dashboard account. This issue is fixed in version 1.25.0.

AnalysisAI

Stored cross-site scripting in OpenReplay 1.24.0 through versions before 1.25.0 allows an unauthenticated attacker holding only a public project key to inject script via custom event names and captured page URLs, which the tracking SDK stores in ClickHouse without output encoding and the authenticated dashboard later renders through TextEllipsis and the event-details modal. When a logged-in operator views the poisoned session, the payload executes in the dashboard origin, reads the session JWT from localStorage, and enables full dashboard account takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain public project key
Delivery
Submit crafted event name/page URL via SDK
Exploit
Payload stored unescaped in ClickHouse
Install
Operator views session in dashboard
C2
Script executes in dashboard origin
Execute
Read session JWT from localStorage
Impact
Take over dashboard account

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker possess a valid public project key for a target OpenReplay instance running an affected version (1.24.0 to before 1.25.0) - this key is client-side and effectively public, so it is a low bar rather than a real authentication barrier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mostly aligned toward a genuine high priority but with meaningful caveats. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains a target deployment's public project key (embedded client-side in any site running the OpenReplay SDK) submits crafted custom event names or page URLs containing a script payload, which is stored unescaped in ClickHouse. When a legitimate authenticated operator later opens that session in the dashboard and the value renders through TextEllipsis or the event-details modal, the script executes in the dashboard origin, reads the session JWT from localStorage, and exfiltrates it to take over the operator's account. …
Remediation Vendor-released patch: 1.25.0 - upgrade all OpenReplay components to v1.25.0 (release https://github.com/openreplay/openreplay/releases/tag/v1.25.0), which introduces output encoding in the affected rendering paths; the corresponding fix commit is ec41f4425a99c478a4418adbd2f094ab6a8b0daf and the advisory is GHSA-3mfc-7hf4-jfxh. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all OpenReplay deployments and identify instances running versions 1.24.0 through 1.24.x; restrict dashboard access to essential personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55879 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy