Total
382 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-2496 | 1 Google | 1 Android | 2026-05-06 | 10.0 HIGH | 9.8 CRITICAL |
| The Framework UI permission-dialog implementation in Android 6.x before 2016-06-01 allows attackers to conduct tapjacking attacks and access arbitrary private-storage files by creating a partially overlapping window, aka internal bug 26677796. | |||||
| CVE-2015-1241 | 6 Canonical, Debian, Google and 3 more | 11 Ubuntu Linux, Debian Linux, Chrome and 8 more | 2026-05-06 | 4.3 MEDIUM | N/A |
| Google Chrome before 42.0.2311.90 does not properly consider the interaction of page navigation with the handling of touch events and gesture events, which allows remote attackers to trigger unintended UI actions via a crafted web site that conducts a "tapjacking" attack. | |||||
| CVE-2014-1480 | 5 Canonical, Mozilla, Opensuse and 2 more | 8 Ubuntu Linux, Firefox, Seamonkey and 5 more | 2026-04-29 | 4.3 MEDIUM | N/A |
| The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjacking attacks, and trigger unintended launching of a downloaded file, via a crafted web site. | |||||
| CVE-2011-1244 | 1 Microsoft | 6 Internet Explorer, Windows 7, Windows Server 2003 and 3 more | 2026-04-29 | 5.8 MEDIUM | N/A |
| Microsoft Internet Explorer 6, 7, and 8 does not enforce intended domain restrictions on content access, which allows remote attackers to obtain sensitive information or conduct clickjacking attacks via a crafted web site, aka "Frame Tag Information Disclosure Vulnerability." | |||||
| CVE-2014-1483 | 5 Canonical, Mozilla, Opensuse and 2 more | 8 Ubuntu Linux, Firefox, Seamonkey and 5 more | 2026-04-29 | 5.0 MEDIUM | N/A |
| Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the document.caretPositionFromPoint and document.elementFromPoint functions. | |||||
| CVE-2013-5614 | 7 Canonical, Fedoraproject, Mozilla and 4 more | 16 Ubuntu Linux, Fedora, Firefox and 13 more | 2026-04-29 | 4.3 MEDIUM | N/A |
| Mozilla Firefox before 26.0 and SeaMonkey before 2.23 do not properly consider the sandbox attribute of an IFRAME element during processing of a contained OBJECT element, which allows remote attackers to bypass intended sandbox restrictions via a crafted web site. | |||||
| CVE-2025-9108 | 2026-04-29 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of rendered ui layers. It is possible to launch the attack remotely. | |||||
| CVE-2025-7903 | 1 Ruoyi | 1 Ruoyi | 2026-04-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the component Image Source Handler. The manipulation leads to improper restriction of rendered ui layers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-47774 | 1 Automattic | 1 Jetpack | 2026-04-28 | N/A | 5.4 MEDIUM |
| Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.This issue affects Jetpack: from n/a before 12.7. | |||||
| CVE-2026-3254 | 1 Gitlab | 1 Gitlab | 2026-04-23 | N/A | 3.5 LOW |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox. | |||||
| CVE-2008-2716 | 1 Opera | 1 Opera Browser | 2026-04-23 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in Opera before 9.5 allows remote attackers to spoof the contents of trusted frames on the same parent page by modifying the location, which can facilitate phishing attacks. | |||||
| CVE-2026-2378 | 1 Thebrowser | 1 Arc Search | 2026-04-16 | N/A | 7.4 HIGH |
| ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. | |||||
| CVE-2005-2407 | 1 Opera | 1 Opera Browser | 2026-04-16 | 5.1 MEDIUM | N/A |
| A design error in Opera 8.01 and earlier allows user-assisted attackers to execute arbitrary code by overlaying a malicious new window above a file download dialog box, then tricking the user into double-clicking on the "Run" button, aka "link hijacking". | |||||
| CVE-2025-25213 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| Improper restriction of rendered UI layers or frames issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If a user views and clicks on the content on the malicious page while logged in, unintended operations may be performed. | |||||
| CVE-2025-30191 | 2026-04-15 | N/A | 5.4 MEDIUM | ||
| Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known | |||||
| CVE-2025-64387 | 2026-04-15 | N/A | N/A | ||
| The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate. | |||||
| CVE-2025-41000 | 2026-04-15 | N/A | N/A | ||
| Cross-Frame Scripting (XFS) vulnerability in BoomCMS v9.1.4 from UXB London. XFS is a web attack technique that exploits specific browser bugs to spy on users via JavaScript. This type of attack is based on social engineering and depends entirely on the browser chosen by the user, so it is perceived as a minor threat to web application security. This vulnerability only works in older browsers. | |||||
| CVE-2024-3911 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames. | |||||
| CVE-2025-24310 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| Improper restriction of rendered UI layers or frames issue exists in HMI ViewJet C-more series, which may allow a remote unauthenticated attacker to trick the product user to perform operations on the product's web pages. | |||||
| CVE-2025-14812 | 2026-04-15 | N/A | 7.5 HIGH | ||
| ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk. | |||||