| Severity | Description | ||||||
|---|---|---|---|---|---|---|---|
| CVE-2026-14142 | Medium | 5.4 v3 | - | - | -No fix available yet | 2026-06-30 | Inappropriate implementation in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2026-44727 | Medium | 5.4 v3 | 0.2% | - | Fix available | 2026-06-22 | Jupyter Server is the backend for Jupyter web applications. Prior to 2.20, the nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy. Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a display_data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE. This vulnerability is fixed in 2.20. |
| CVE-2026-12348 | High | 7.4 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing. |
| CVE-2026-12323 | Medium | 5.4 v3 | 0.2% | - | Fix available | 2026-06-16 | Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. |
| CVE-2026-12322 | Medium | 5.4 v3 | 0.2% | - | Fix available | 2026-06-16 | Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. |
| CVE-2026-10733 | Medium | 4.3 v3 | 0.2% | - | Fix available | 2026-06-11 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization. |
| CVE-2026-28577 | High | 7.8 v3 | 0.1% | - | -No fix available yet | 2026-06-01 | In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| CVE-2026-0061 | Medium | 5.9 v3 | 0.1% | - | -No fix available yet | 2026-06-01 | In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| CVE-2026-0036 | High | 7.8 v3 | 0.1% | - | -No fix available yet | 2026-06-01 | In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| CVE-2026-21785 | Medium | 4.0 v3 | 0.1% | - | -No fix available yet | 2026-05-27 | A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources. |
| CVE-2026-25681 | Medium | 6.1 v3 | 0.2% | - | Fix available | 2026-05-27 | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. |
| CVE-2026-27136 | Medium | 6.1 v3 | 0.2% | - | Fix available | 2026-05-27 | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. |
| CVE-2026-42502 | Medium | 6.1 v3 | 0.2% | - | Fix available | 2026-05-27 | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. |
| CVE-2026-9396 | Low | 3.7 v3 | 0.3% | - | -No fix available yet | 2026-05-24 | A security flaw has been discovered in Besen BS20 EV Charging Station up to 20260426. Affected by this vulnerability is an unknown functionality of the component Firmware Version Check. The manipulation results in improper restriction of rendered ui layers. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitation appears to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026." |
| CVE-2025-62316 | Low | 2.3 v3 | 0.1% | - | -No fix available yet | 2026-05-14 | HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the application to limited security risks under specific conditions. |
| CVE-2026-28971 | Medium | 4.3 v3 | 0.3% | - | Fix available | 2026-05-11 | The issue was addressed with improved UI handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings. |
| CVE-2026-8022 | Low | 3.1 v3 | 0.2% | - | Fix available | 2026-05-07 | This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. |
| CVE-2026-3254 | Low | 3.5 v3 | 0.2% | - | -No fix available yet | 2026-04-22 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox. |
| CVE-2026-2378 | High | 7.4 v3 | 0.2% | - | Fix available | 2026-03-20 | ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. |
| CVE-2025-62328 | Low | 3.7 v3 | 0.2% | - | -No fix available yet | 2026-03-11 | HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors. |
| CVE-2026-0007 | High | 8.6 v3 | 0.1% | - | -No fix available yet | 2026-03-02 | In writeToParcel of WindowInfo.cpp, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| CVE-2025-58405 | Medium | 6.1 v3 | 0.2% | - | Fix available | 2026-03-02 | The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into performing unintended actions, including potentially bypassing CSRF/XSRF defenses. |
| CVE-2026-27511 | Medium | 4.3 v3 | 0.2% | - | -No fix available yet | 2026-02-23 | Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a clickjacking vulnerability in the web-based administrative interface. The interface does not set the X-Frame-Options header, allowing attacker-controlled sites to embed administrative pages in an iframe and trick an authenticated administrator into unintended interactions that may result in unauthorized configuration changes. |
| CVE-2026-26000 | Medium | 6.1 v3 | 0.3% | - | Fix available | 2026-02-12 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13. |
| CVE-2026-20645 | Medium | 4.6 v3 | 0.2% | - | Fix available | 2026-02-11 | An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information. |
| CVE-2026-24839 | Medium | 4.7 v3 | 0.2% | - | Fix available | 2026-01-28 | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue. |
| CVE-2026-23731 | Medium | 4.3 v3 | 0.3% | - | Fix available | 2026-01-16 | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame-ancestors directive is not configured. Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental interaction with sensitive workflows. This vulnerability is fixed in 3.6.2. |
| CVE-2025-15032 | High | 7.4 v3 | 0.2% | - | -No fix available yet | 2026-01-16 | Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site. |
| CVE-2025-52987 | Medium | 6.1 v3 | 0.2% | - | Fix available | 2026-01-15 | A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's failure to set appropriate X-Frame-Options and X-Content-Type HTTP headers. This vulnerability allows an attacker to trick users into interacting with the interface under the attacker's control. This issue affects all versions of Paragon Automation (Pathfinder, Planner, Insights) before 24.1.1. |
| CVE-2026-22918 | Medium | 4.3 v3 | 0.3% | - | -No fix available yet | 2026-01-15 | An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data. |
| CVE-2025-65922 | Medium | 4.3 v3 | 0.1% | - | -No fix available yet | 2026-01-05 | PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application on a malicious site to establish false trust (UI Redressing), potentially tricking users into entering sensitive information or credentials into overlaid fake forms. NOTE: this is disputed by the Supplier because "PLANKA uses SameSite=Strict cookies, preventing authentication in cross-origin contexts. No session can be established. No credential interception or unauthorized actions are possible. Browser Same-Origin Policy prevents the parent page from accessing iframe content. Clickjacking is no |
| CVE-2025-14812 | High | 7.5 v3 | 0.2% | - | -No fix available yet | 2025-12-19 | ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk. |
| CVE-2025-14809 | High | 7.4 v3 | 0.2% | - | -No fix available yet | 2025-12-19 | ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. |
| CVE-2025-59849 | Medium | 4.7 v3 | 0.2% | - | Fix available | 2025-12-17 | Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages. |
| CVE-2025-59479 | Medium | 6.1 v3 | 0.2% | - | -No fix available yet | 2025-12-16 | CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on the product. |
| CVE-2025-14373 | Medium | 4.3 v3 | 0.3% | - | Fix available | 2025-12-11 | This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. |
| CVE-2025-48639 | High | 7.3 v3 | 0.1% | - | -No fix available yet | 2025-12-08 | In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. |
| CVE-2025-48597 | High | 7.8 v3 | 0.1% | - | -No fix available yet | 2025-12-08 | In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| CVE-2025-63522 | Medium | 4.6 v3 | 0.2% | - | -No fix available yet | 2025-12-01 | Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function |
| CVE-2025-36149 | Medium | 6.3 v3 | 0.2% | - | Fix available | 2025-11-21 | IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim. |
| CVE-2025-13132 | High | 7.4 v3 | 0.2% | - | -No fix available yet | 2025-11-21 | This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.) |
| CVE-2025-0421 | Medium | 4.7 v3 | 0.2% | - | -No fix available yet | 2025-11-19 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay. This issue affects Shopside: through 05022025. |
| CVE-2025-64387 | Unscored | - | 0.4% | - | -No fix available yet | 2025-10-31 | The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate. |
| CVE-2025-30191 | Medium | 5.4 v3 | 0.2% | - | -No fix available yet | 2025-10-31 | Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known |
| CVE-2025-28129 | Medium | 5.4 v3 | 0.2% | - | -No fix available yet | 2025-10-06 | Phpgurukul Hostel Management System 2.1 is vulnerable to clickjacking. |
| CVE-2025-52658 | Low | 3.5 v3 | 0.2% | - | -No fix available yet | 2025-10-03 | HCL MyXalytics is affected by the use of vulnerable/outdated versions which can expose the application to known security risks that could be exploited. |
| CVE-2025-59950 | Medium | 6.7 v3 | 0.3% | - | Fix available | 2025-09-30 | FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button inside an attacker-controlled website. A successful attack can allow the attacker to promote themselves to "admin" and log into other users' accounts; the attacker has to know the specific instance URL they're targeting. This issue is fixed in version 1.27.0. |
| CVE-2025-57769 | Medium | 6.1 v3 | 0.3% | - | Fix available | 2025-09-29 | FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring the promote user button in the admin UI or XSS by tricking the user to drag content into the UserJS text area. This is fixed in version 1.27.0 |
| CVE-2025-0546 | Medium | 4.7 v3 | 0.2% | - | -No fix available yet | 2025-09-17 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Restriction of Rendered UI Layers or Frames vulnerability in Mevzuattr Software MevzuatTR allows Phishing, iFrame Overlay, Clickjacking, Forceful Browsing. This issue needs high privileges. This issue affects MevzuatTR: before 12.02.2025. |
| CVE-2025-32350 | High | 7.8 v3 | 0.1% | - | -No fix available yet | 2025-09-04 | In maybeShowDialog of ControlsSettingsDialogManager.kt, there is a possible overlay of the ControlsSettingsDialog due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
- MediumCVSS 5.4 v3·EPSS -·No fix yet
Inappropriate implementation in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Published 2026-06-30
- MediumCVSS 5.4 v3·EPSS 0.2%·Fix available
Jupyter Server is the backend for Jupyter web applications. Prior to 2.20, the nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy. Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a display_data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE. This vulnerability is fixed in 2.20.
Published 2026-06-22
- HighCVSS 7.4 v3·EPSS 0.3%·No fix yet
Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.
Published 2026-06-17
- MediumCVSS 5.4 v3·EPSS 0.2%·Fix available
Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Published 2026-06-16
- MediumCVSS 5.4 v3·EPSS 0.2%·Fix available
Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Published 2026-06-16
- MediumCVSS 4.3 v3·EPSS 0.2%·Fix available
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization.
Published 2026-06-11
- HighCVSS 7.8 v3·EPSS 0.1%·No fix yet
In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published 2026-06-01
- MediumCVSS 5.9 v3·EPSS 0.1%·No fix yet
In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published 2026-06-01
- HighCVSS 7.8 v3·EPSS 0.1%·No fix yet
In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published 2026-06-01
- MediumCVSS 4.0 v3·EPSS 0.1%·No fix yet
A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources.
Published 2026-05-27
- MediumCVSS 6.1 v3·EPSS 0.2%·Fix available
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Published 2026-05-27
- MediumCVSS 6.1 v3·EPSS 0.2%·Fix available
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Published 2026-05-27
- MediumCVSS 6.1 v3·EPSS 0.2%·Fix available
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
Published 2026-05-27
- CVSS 3.7 v3·EPSS 0.3%·No fix yet
A security flaw has been discovered in Besen BS20 EV Charging Station up to 20260426. Affected by this vulnerability is an unknown functionality of the component Firmware Version Check. The manipulation results in improper restriction of rendered ui layers. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitation appears to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026."
Published 2026-05-24
- CVSS 2.3 v3·EPSS 0.1%·No fix yet
HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the application to limited security risks under specific conditions.
Published 2026-05-14
- MediumCVSS 4.3 v3·EPSS 0.3%·Fix available
The issue was addressed with improved UI handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.
Published 2026-05-11
- CVSS 3.1 v3·EPSS 0.2%·Fix available
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Published 2026-05-07
- CVSS 3.5 v3·EPSS 0.2%·No fix yet
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.
Published 2026-04-22
- HighCVSS 7.4 v3·EPSS 0.2%·Fix available
ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
Published 2026-03-20
- CVSS 3.7 v3·EPSS 0.2%·No fix yet
HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors.
Published 2026-03-11
- HighCVSS 8.6 v3·EPSS 0.1%·No fix yet
In writeToParcel of WindowInfo.cpp, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published 2026-03-02
- MediumCVSS 6.1 v3·EPSS 0.2%·Fix available
The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into performing unintended actions, including potentially bypassing CSRF/XSRF defenses.
Published 2026-03-02
- MediumCVSS 4.3 v3·EPSS 0.2%·No fix yet
Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a clickjacking vulnerability in the web-based administrative interface. The interface does not set the X-Frame-Options header, allowing attacker-controlled sites to embed administrative pages in an iframe and trick an authenticated administrator into unintended interactions that may result in unauthorized configuration changes.
Published 2026-02-23
- MediumCVSS 6.1 v3·EPSS 0.3%·Fix available
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
Published 2026-02-12
- MediumCVSS 4.6 v3·EPSS 0.2%·Fix available
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information.
Published 2026-02-11
- MediumCVSS 4.7 v3·EPSS 0.2%·Fix available
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue.
Published 2026-01-28
- MediumCVSS 4.3 v3·EPSS 0.3%·Fix available
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame-ancestors directive is not configured. Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental interaction with sensitive workflows. This vulnerability is fixed in 3.6.2.
Published 2026-01-16
- HighCVSS 7.4 v3·EPSS 0.2%·No fix yet
Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.
Published 2026-01-16
- MediumCVSS 6.1 v3·EPSS 0.2%·Fix available
A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's failure to set appropriate X-Frame-Options and X-Content-Type HTTP headers. This vulnerability allows an attacker to trick users into interacting with the interface under the attacker's control. This issue affects all versions of Paragon Automation (Pathfinder, Planner, Insights) before 24.1.1.
Published 2026-01-15
- MediumCVSS 4.3 v3·EPSS 0.3%·No fix yet
An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data.
Published 2026-01-15
- MediumCVSS 4.3 v3·EPSS 0.1%·No fix yet
PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application on a malicious site to establish false trust (UI Redressing), potentially tricking users into entering sensitive information or credentials into overlaid fake forms. NOTE: this is disputed by the Supplier because "PLANKA uses SameSite=Strict cookies, preventing authentication in cross-origin contexts. No session can be established. No credential interception or unauthorized actions are possible. Browser Same-Origin Policy prevents the parent page from accessing iframe content. Clickjacking is no
Published 2026-01-05
- HighCVSS 7.5 v3·EPSS 0.2%·No fix yet
ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.
Published 2025-12-19
- HighCVSS 7.4 v3·EPSS 0.2%·No fix yet
ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
Published 2025-12-19
- MediumCVSS 4.7 v3·EPSS 0.2%·Fix available
Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages.
Published 2025-12-17
- MediumCVSS 6.1 v3·EPSS 0.2%·No fix yet
CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on the product.
Published 2025-12-16
- MediumCVSS 4.3 v3·EPSS 0.3%·Fix available
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Published 2025-12-11
- HighCVSS 7.3 v3·EPSS 0.1%·No fix yet
In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
Published 2025-12-08
- HighCVSS 7.8 v3·EPSS 0.1%·No fix yet
In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published 2025-12-08
- MediumCVSS 4.6 v3·EPSS 0.2%·No fix yet
Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function
Published 2025-12-01
- MediumCVSS 6.3 v3·EPSS 0.2%·Fix available
IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim.
Published 2025-11-21
- HighCVSS 7.4 v3·EPSS 0.2%·No fix yet
This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.)
Published 2025-11-21
- MediumCVSS 4.7 v3·EPSS 0.2%·No fix yet
Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay. This issue affects Shopside: through 05022025.
Published 2025-11-19
- UnscoredCVSS -·EPSS 0.4%·No fix yet
The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate.
Published 2025-10-31
- MediumCVSS 5.4 v3·EPSS 0.2%·No fix yet
Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known
Published 2025-10-31
- MediumCVSS 5.4 v3·EPSS 0.2%·No fix yet
Phpgurukul Hostel Management System 2.1 is vulnerable to clickjacking.
Published 2025-10-06
- CVSS 3.5 v3·EPSS 0.2%·No fix yet
HCL MyXalytics is affected by the use of vulnerable/outdated versions which can expose the application to known security risks that could be exploited.
Published 2025-10-03
- MediumCVSS 6.7 v3·EPSS 0.3%·Fix available
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button inside an attacker-controlled website. A successful attack can allow the attacker to promote themselves to "admin" and log into other users' accounts; the attacker has to know the specific instance URL they're targeting. This issue is fixed in version 1.27.0.
Published 2025-09-30
- MediumCVSS 6.1 v3·EPSS 0.3%·Fix available
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring the promote user button in the admin UI or XSS by tricking the user to drag content into the UserJS text area. This is fixed in version 1.27.0
Published 2025-09-29
- MediumCVSS 4.7 v3·EPSS 0.2%·No fix yet
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Restriction of Rendered UI Layers or Frames vulnerability in Mevzuattr Software MevzuatTR allows Phishing, iFrame Overlay, Clickjacking, Forceful Browsing. This issue needs high privileges. This issue affects MevzuatTR: before 12.02.2025.
Published 2025-09-17
- HighCVSS 7.8 v3·EPSS 0.1%·No fix yet
In maybeShowDialog of ControlsSettingsDialogManager.kt, there is a possible overlay of the ControlsSettingsDialog due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published 2025-09-04
Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.