CVE-2026-55880: OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their siblin
OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.update_widget and dashboards.remove_widget filtered only on dashboard id and widget id, allowing any authenticated member to delete another user's private session notes and remove or rewrite widgets on another user's private dashboards.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-55880
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55880 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for OpenReplay is a
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-57230: OpenReplay is a self-hosted session replay suite. Prior to 1.27.0, the session search and anal…nvd · 2026-07-10
- unknownCVE-2026-55881: OpenReplay is a self-hosted session replay suite. From 1.22.0 before 1.27.0, getFirstMob retur…nvd · 2026-07-10
- criticalCVE-2026-55879: OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the OpenReplay tr…nvd · 2026-07-10
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11