CVE-2026-55879

OpenReplay · OpenReplay

A stored Cross-Site Scripting (XSS) vulnerability in the OpenReplay tracking SDK allows unauthenticated attackers to execute malicious scripts in the administrative dashboard.

Executive summary

A critical stored XSS vulnerability in OpenReplay allows unauthenticated attackers to execute arbitrary JavaScript in the dashboard, leading to potential session token theft and account takeover.

Vulnerability

The tracking SDK fails to properly sanitize custom event names and page URLs, which are then rendered in the authenticated dashboard. An unauthenticated attacker can inject malicious scripts that execute in the dashboard origin, allowing them to steal session JWTs from local storage.

Business impact

This vulnerability carries a CVSS score of 9.3, reflecting the high impact of a full administrative account takeover. Compromise of the OpenReplay dashboard grants an attacker visibility into sensitive session replays and potentially allows for lateral movement within the organization’s environment.

Remediation

Immediate Action: Upgrade to OpenReplay version 1.25.0 or later to ensure proper output encoding is applied to all rendered events and URLs.

Proactive Monitoring: Review audit logs for suspicious activity within the OpenReplay dashboard and monitor for unauthorized access to session data or configuration changes.

Compensating Controls: Implement strict Content Security Policy (CSP) headers to restrict script execution origins and prevent the exfiltration of sensitive tokens to external domains.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability is highly dangerous as it bypasses traditional perimeter security by targeting the administrative interface via the tracking SDK. Organizations should prioritize updating to version 1.25.0 to eliminate the injection vector and secure sensitive administrative sessions.