Total
397 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65922 | 1 Planka | 1 Planka | 2026-01-08 | 4.3 Medium |
| PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application on a malicious site to establish false trust (UI Redressing), potentially tricking users into entering sensitive information or credentials into overlaid fake forms. NOTE: this is disputed by the Supplier because "PLANKA uses SameSite=Strict cookies, preventing authentication in cross-origin contexts. No session can be established. No credential interception or unauthorized actions are possible. Browser Same-Origin Policy prevents the parent page from accessing iframe content. Clickjacking is not applicable on the login page. Any credential capture would require attacker-controlled input and user interaction equivalent to phishing. The security outcome depends entirely on the user's trust in the parent page. An attacker can achieve the same effect with a fully fake login page. Embedding the legitimate page adds no risk, as browsers do not show URL, certificate, or padlock indicators in cross-origin iframes." | ||||
| CVE-2025-59849 | 2 Hcltech, Hcltechsw | 3 Bigfix Remote Control, Hcl Devops Deploy, Hcl Launch | 2026-01-06 | 4.7 Medium |
| Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages. | ||||
| CVE-2025-59479 | 1 Inaba | 2 Ib-mct001, Ib-mct001 Firmware | 2025-12-23 | 6.1 Medium |
| CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on the product. | ||||
| CVE-2025-14812 | 2 Apple, The Browser Company | 2 Ios, Arc | 2025-12-21 | 7.5 High |
| ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk. | ||||
| CVE-2025-14809 | 2 Google, The Browser Company | 2 Android, Arc | 2025-12-21 | 7.4 High |
| ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. | ||||
| CVE-2025-14373 | 4 Apple, Google, Linux and 1 more | 5 Macos, Android, Chrome and 2 more | 2025-12-19 | 4.3 Medium |
| Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2025-48639 | 1 Google | 1 Android | 2025-12-17 | 7.3 High |
| In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2025-48597 | 1 Google | 1 Android | 2025-12-17 | 7.8 High |
| In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-13635 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-04 | 4.4 Medium |
| Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a local attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2025-36149 | 1 Ibm | 1 Concert | 2025-12-02 | 6.3 Medium |
| IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim. | ||||
| CVE-2025-63522 | 1 Feehi | 2 Feehi Cms, Feehicms | 2025-12-02 | 4.6 Medium |
| Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function | ||||
| CVE-2025-54527 | 1 Jetbrains | 1 Youtrack | 2025-12-01 | 6.1 Medium |
| In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions | ||||
| CVE-2025-13132 | 1 The Browser Company | 1 Dia | 2025-11-25 | 7.4 High |
| This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.) | ||||
| CVE-2025-0421 | 1 Shopside | 1 Shopside | 2025-11-24 | 4.7 Medium |
| Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay.This issue affects Shopside: through 05022025. | ||||
| CVE-2025-13107 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-17 | 4.3 Medium |
| Inappropriate implementation in Compositing in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2025-12446 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-13 | 4.2 Medium |
| Incorrect security UI in SplitView in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted domain name. (Chromium security severity: Low) | ||||
| CVE-2023-4956 | 1 Redhat | 1 Quay | 2025-11-07 | 6.5 Medium |
| A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance. | ||||
| CVE-2024-40817 | 1 Apple | 2 Macos, Safari | 2025-11-04 | 6.1 Medium |
| The issue was addressed with improved UI handling. This issue is fixed in macOS Sonoma 14.6, Safari 17.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing. | ||||
| CVE-2025-30191 | 1 Open-xchange | 1 Ox App Suite | 2025-11-04 | 5.4 Medium |
| Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known | ||||
| CVE-2025-64387 | 1 Circutor | 1 Tcprs1plus | 2025-11-04 | N/A |
| The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate. | ||||