CVE-2026-28443
Published: 05 March 2026
Summary
CVE-2026-28443 is a medium-severity SQL Injection (CWE-89) vulnerability in Openreplay Openreplay. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28443 is a SQL injection vulnerability (CWE-89) affecting OpenReplay, a self-hosted session replay suite. The flaw exists in the POST /{projectId}/cards/search endpoint prior to version 1.20.0, specifically within the sort.field parameter. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows arbitrary SQL query execution, potentially leading to high confidentiality, integrity, and availability impacts, such as unauthorized data access, modification, or deletion within the affected OpenReplay database.
The issue has been addressed in OpenReplay version 1.20.0. Security practitioners should upgrade to this patched version immediately. Additional details are available in the GitHub Security Advisory at https://github.com/openreplay/openreplay/security/advisories/GHSA-q6gf-3qg3-pww5.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9880
Vulnerability details
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /{projectId}/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an unauthenticated SQL injection in a publicly accessible web endpoint of OpenReplay, directly enabling remote exploitation of a public-facing application with no user interaction required.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 enforces validation of information inputs like the sort.field parameter, directly preventing SQL injection exploitation.
SI-2 mandates timely flaw remediation, such as upgrading to OpenReplay version 1.20.0 to eliminate the SQL injection vulnerability.
RA-5 vulnerability scanning identifies SQL injection flaws like CVE-2026-28443 in endpoints prior to exploitation.