{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28443", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:54:05.140Z", "datePublished": "2026-03-05T20:53:17.967Z", "dateUpdated": "2026-03-06T16:08:11.944Z"}, "containers": {"cna": {"title": "OpenReplay: SQL injection in cards/search via unvalidated sort field parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/openreplay/openreplay/security/advisories/GHSA-q6gf-3qg3-pww5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openreplay/openreplay/security/advisories/GHSA-q6gf-3qg3-pww5"}], "affected": [{"vendor": "openreplay", "product": "openreplay", "versions": [{"version": "< 1.20.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:53:17.967Z"}, "descriptions": [{"lang": "en", "value": "OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0."}], "source": {"advisory": "GHSA-q6gf-3qg3-pww5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T16:08:03.455688Z", "id": "CVE-2026-28443", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:08:11.944Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28443", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T16:08:03.455688Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:08:07.360Z"}}], "cna": {"title": "OpenReplay: SQL injection in cards/search via unvalidated sort field parameter", "source": {"advisory": "GHSA-q6gf-3qg3-pww5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "openreplay", "product": "openreplay", "versions": [{"status": "affected", "version": "< 1.20.0"}]}], "references": [{"url": "https://github.com/openreplay/openreplay/security/advisories/GHSA-q6gf-3qg3-pww5", "name": "https://github.com/openreplay/openreplay/security/advisories/GHSA-q6gf-3qg3-pww5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:53:17.967Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28443", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:08:11.944Z", "dateReserved": "2026-02-27T15:54:05.140Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T20:53:17.967Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openreplay:openreplay:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF5C05FB-D193-4C72-92D9-B0C023DF843F", "versionEndExcluding": "1.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0."}, {"lang": "es", "value": "OpenReplay es una suite de reproducci\u00f3n de sesiones autoalojada. Antes de la versi\u00f3n 1.20.0, el endpoint POST /{projectId}/cards/search tiene una inyecci\u00f3n SQL en el par\u00e1metro sort.field. Este problema ha sido parcheado en la versi\u00f3n 1.20.0."}], "id": "CVE-2026-28443", "lastModified": "2026-03-17T15:45:31.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T21:16:22.483", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openreplay/openreplay/security/advisories/GHSA-q6gf-3qg3-pww5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.20.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openreplay", "source": "cna", "vendor": "openreplay"}, "product": "openreplay", "vendor": "openreplay"}], "analysis": {"en": {"generated_at": "2026-04-16T12:07:51.929590+00:00", "value": {"mitigation_remediation": ["Upgrade the OpenReplay installation to version 1.20.0 or later to apply the vendor fix.", "Validate and whitelist acceptable values for the sort.field parameter in the application code to ensure only predefined sorting options are accepted.", "Configure network or application firewalls to detect and block suspicious payloads containing SQL injection patterns on the cards/search endpoint.", "Monitor access logs for repeated attempts to inject malicious input into the sort.field parameter and investigate any anomalies."], "summary": {"action": "Update to v1.20.0", "impact": "SQL Injection allowing unauthorized database access or modification"}, "threat_synthesis": {"affected_systems": "OpenReplay is affected for all self\u2011hosted instances running any version prior to 1.20.0. The flaw exists in the openreplay openreplay product and is present in all installations exposing the cards/search API, regardless of deployment size or configuration.", "description_and_impact": "OpenReplay\u2019s POST /{projectId}/cards/search endpoint contains a SQL injection through the unvalidated sort.field parameter. An attacker can inject arbitrary SQL statements, potentially reading, modifying, or deleting data stored in the database, including sensitive session information. The weakness is a classic injection flaw, classified as CWE\u201189.", "risk_and_exploitability": "The CVSS score of 6.9 denotes a medium severity vulnerability. The EPSS score is below 1%, indicating a low probability of exploitation in the wild. The flaw is not listed in CISA\u2019s KEV catalog. Attackers would need network access to the API endpoint and the capability to supply a malicious sort.field value, typically via HTTP POST requests. Successful exploitation would allow unauthorized data reads or modifications, compromising confidentiality and integrity of the stored data."}}}}, "created": "2026-03-06T15:00:54.858029+00:00", "updated": "2026-04-16T12:15:35.088455+00:00", "vendors": ["openreplay", "openreplay$PRODUCT$openreplay"]}