Total
372 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-0007 | 1 Google | 1 Android | 2026-03-06 | N/A | 8.6 HIGH |
|
In writeToParcel of WindowInfo.cpp, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-58405 | 2026-03-02 | N/A | N/A | ||
|
The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into performing unintended actions, including potentially bypassing CSRF/XSRF defenses.
|
|||||
| CVE-2026-27511 | 1 Tenda | 2 F3, F3 Firmware | 2026-02-23 | N/A | 4.3 MEDIUM |
|
Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a clickjacking vulnerability in the web-based administrative interface. The interface does not set the X-Frame-Options header, allowing attacker-controlled sites to embed administrative pages in an iframe and trick an authenticated administrator into unintended interactions that may result in unauthorized configuration changes.
|
|||||
| CVE-2026-26000 | 1 Xwiki | 1 Xwiki | 2026-02-19 | N/A | 6.1 MEDIUM |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This vulnerability is fixed in 17.9.0, 17.4.6, and 16.10.13.
|
|||||
| CVE-2026-20645 | 1 Apple | 2 Ipados, Iphone Os | 2026-02-13 | N/A | 4.6 MEDIUM |
|
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An attacker with physical access to a locked device may be able to view sensitive user information.
|
|||||
| CVE-2025-27455 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-02-06 | N/A | 4.3 MEDIUM |
|
The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects.
|
|||||
| CVE-2025-49192 | 1 Sick | 2 Field Analytics, Media Server | 2026-02-06 | N/A | 4.3 MEDIUM |
|
The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives. This could potentially reveal confidential information or allow others to take control of their computer while clicking on seemingly innocuous objects.
|
|||||
| CVE-2026-24839 | 1 Dokploy | 1 Dokploy | 2026-02-04 | N/A | 4.7 MEDIUM |
|
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue.
|
|||||
| CVE-2026-23731 | 1 Wegia | 1 Wegia | 2026-01-30 | N/A | 4.3 MEDIUM |
|
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame-ancestors directive is not configured. Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental intera ...
Show More |
|||||
| CVE-2025-49191 | 1 Sick | 1 Field Analytics | 2026-01-29 | N/A | 4.8 MEDIUM |
|
Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.
|
|||||
| CVE-2025-52987 | 1 Juniper | 1 Paragon Automation | 2026-01-26 | N/A | 6.1 MEDIUM |
|
A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's failure to set appropriate X-Frame-Options and X-Content-Type HTTP headers. This vulnerability allows an attacker to trick users into interacting with the interface under the attacker's control.
This issue affects all versions of Paragon Automation (Pathfinder, Planner, Insights) before 24.1.1.
|
|||||
| CVE-2025-15032 | 2026-01-26 | N/A | 7.4 HIGH | ||
|
Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.
|
|||||
| CVE-2026-22918 | 1 Sick | 2 Tdc-x401gl, Tdc-x401gl Firmware | 2026-01-23 | N/A | 4.3 MEDIUM |
|
An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data.
|
|||||
| CVE-2023-47774 | 1 Automattic | 1 Jetpack | 2026-01-22 | N/A | 5.4 MEDIUM |
|
Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.This issue affects Jetpack: from n/a before 12.7.
|
|||||
| CVE-2025-65922 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
|
PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application on a malicious site to establish false trust (UI Redressing), potentially tricking users into entering sensitive information or credentials into overlaid fake forms. NOTE: this is disputed by the Supp ...
Show More |
|||||
| CVE-2025-59849 | 1 Hcltechsw | 2 Hcl Devops Deploy, Hcl Launch | 2026-01-06 | N/A | 4.7 MEDIUM |
|
Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages.
|
|||||
| CVE-2025-59479 | 1 Inaba | 2 Ib-mct001, Ib-mct001 Firmware | 2025-12-23 | N/A | 6.1 MEDIUM |
|
CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on the product.
|
|||||
| CVE-2025-14809 | 2025-12-19 | N/A | 7.4 HIGH | ||
|
ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
|
|||||
| CVE-2025-14812 | 2025-12-19 | N/A | 7.5 HIGH | ||
|
ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.
|
|||||
| CVE-2025-14373 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-19 | N/A | 4.3 MEDIUM |
|
Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)
|
|||||
| CVE-2025-48639 | 1 Google | 1 Android | 2025-12-08 | N/A | 7.3 HIGH |
|
In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2025-48597 | 1 Google | 1 Android | 2025-12-08 | N/A | 7.8 HIGH |
|
In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2025-36149 | 1 Ibm | 1 Concert | 2025-12-02 | N/A | 6.3 MEDIUM |
|
IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim.
|
|||||
| CVE-2025-63522 | 1 Feehi | 1 Feehicms | 2025-12-02 | N/A | 4.6 MEDIUM |
|
Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function
|
|||||
| CVE-2025-54527 | 1 Jetbrains | 1 Youtrack | 2025-12-01 | N/A | 6.1 MEDIUM |
|
In JetBrains YouTrack before 2025.2.86935,
2025.2.87167,
2025.3.87341,
2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions
|
|||||
| CVE-2025-13132 | 2025-11-25 | N/A | 7.4 HIGH | ||
|
This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.)
|
|||||
| CVE-2025-0421 | 2025-11-19 | N/A | 4.7 MEDIUM | ||
|
Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay.This issue affects Shopside: through 05022025.
|
|||||
| CVE-2024-40817 | 1 Apple | 2 Macos, Safari | 2025-11-04 | N/A | 6.1 MEDIUM |
|
The issue was addressed with improved UI handling. This issue is fixed in macOS Sonoma 14.6, Safari 17.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing.
|
|||||
| CVE-2025-64387 | 2025-11-04 | N/A | N/A | ||
|
The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate.
|
|||||
| CVE-2025-30191 | 2025-11-04 | N/A | 5.4 MEDIUM | ||
|
Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known
|
|||||
| CVE-2024-11695 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-03 | N/A | 5.4 MEDIUM |
|
A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5.
|
|||||
| CVE-2025-5267 | 1 Mozilla | 1 Firefox | 2025-11-03 | N/A | 5.4 MEDIUM |
|
A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
|
|||||
| CVE-2024-30109 | 1 Hcltech | 1 Dryice Aex | 2025-10-30 | N/A | 3.7 LOW |
|
HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended.
|
|||||
| CVE-2025-28129 | 1 Phpgurukul | 1 Hostel Management System | 2025-10-21 | N/A | 5.4 MEDIUM |
|
Phpgurukul Hostel Management System 2.1 is vulnerable to clickjacking.
|
|||||
| CVE-2025-31138 | 1 Amauri | 1 Tarteaucitronjs | 2025-10-21 | N/A | 5.5 MEDIUM |
|
tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to the site's source code or a CMS plugin to set values like 100%;height:100%;position:fixed;, potentially covering the entire viewport and facilitating clickjacking attacks. An attacker with high privileges could exploit this ...
Show More |
|||||
| CVE-2025-52658 | 1 Hcltech | 1 Dryice Myxalytics | 2025-10-10 | N/A | 3.5 LOW |
|
HCL MyXalytics is affected by the use of vulnerable/outdated versions which can expose the application to known security risks that could be exploited.
|
|||||
| CVE-2025-57769 | 1 Freshrss | 1 Freshrss | 2025-10-03 | N/A | 6.1 MEDIUM |
|
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring the promote user button in the admin UI or XSS by tricking the user to drag content into the UserJS text area. This is fixed in version 1.27.0
|
|||||
| CVE-2025-59950 | 1 Freshrss | 1 Freshrss | 2025-10-03 | N/A | 6.7 MEDIUM |
|
FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button inside an attacker-controlled website. A successful attack can allow the attacker to promote themselves to "admin" and log into other users' accounts; the attacker has to know the specific instance URL th ...
Show More |
|||||
| CVE-2024-56436 | 1 Huawei | 1 Harmonyos | 2025-09-27 | N/A | 5.5 MEDIUM |
|
Cross-process screen stack vulnerability in the UIExtension module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2024-56435 | 1 Huawei | 1 Harmonyos | 2025-09-27 | N/A | 6.2 MEDIUM |
|
Cross-process screen stack vulnerability in the UIExtension module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||