CVE-2026-55879 PUBLISHED

OpenReplay: Unauthenticated stored XSS leads to dashboard account takeover

Assigner: GitHub_M
Reserved: 17.06.2026 Published: 10.07.2026 Updated: 10.07.2026

OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the OpenReplay tracking SDK accepts custom event names and captured page URLs from any visitor using a public project key, stores them in ClickHouse without output encoding, and later renders them in the authenticated dashboard through TextEllipsis and the event-details modal, allowing an unauthenticated attacker to store script that executes in the dashboard origin, reads the session JWT from localStorage, and takes over a dashboard account. This issue is fixed in version 1.25.0.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CVSS Score: 9.3

Product Status

Vendor openreplay
Product openreplay
Versions
  • Version >= 1.24.0, < 1.25.0 is affected

References

Problem Types

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE