OpenReplay fixed a critical stored cross-site scripting flaw, tracked as CVE-2026-55879, that affects versions 1.24.0 before 1.25.0 and can let an unauthenticated attacker take over dashboard accounts. The issue allows anyone with a public project key to submit malicious custom event names or page URLs that are stored by the platform and later rendered in the authenticated dashboard, where attacker-controlled JavaScript can execute in the dashboard origin, steal the session JWT from localStorage, and hijack user access. The vulnerability is rated CVSS 9.3 and mapped to CWE-79.
The remediation shipped in OpenReplay v1.25.0 and was reflected in subsequent code changes that centralized output encoding for event read paths. The patch escapes event entries and nested property maps on the backend before returning data from SearchEvents and GetEventByID, and also hardens the frontend by escaping JSON shown in EventDetailsModal, replacing innerHTML with textContent in a text measurement helper, and adding a reusable HTML-escaping utility. Together, the changes indicate the flaw stemmed from unsanitized event content being inserted into the UI without proper output encoding.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-55879 was published describing a critical unauthenticated stored XSS in OpenReplay versions 1.24.0 before 1.25.0. The advisory says attackers with a public project key could inject malicious event names or page URLs that execute in the dashboard and enable account takeover.
A GitHub commit added backend sanitization and frontend escaping changes to event data handling, including escaping strings before rendering and replacing unsafe HTML insertion patterns. The changes are consistent with remediation of a stored XSS risk in event content displayed in the dashboard.
OpenReplay published release v1.25.0, which explicitly mentions security enhancements alongside other feature additions and bug fixes. The CVE reference states this version contains the fix for the stored XSS issue affecting earlier versions.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.