Total
382 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-24874 | 2026-04-15 | N/A | 6.8 MEDIUM | ||
| SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP directive. Hence, clickjacking could become possible then, and lead to exposure and modification of sensitive information. | |||||
| CVE-2024-55888 | 2026-04-15 | N/A | 7.1 HIGH | ||
| Hush Line is an open-source whistleblower management system. Starting in version 0.1.0 and prior to version 0.3.5, the productions server appeared to have been misconfigured and missed providing any content security policy or security headers. This could result in bypassing of cross-site scripting filters. Version 0.3.5 fixed the issue. | |||||
| CVE-2025-65922 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application on a malicious site to establish false trust (UI Redressing), potentially tricking users into entering sensitive information or credentials into overlaid fake forms. NOTE: this is disputed by the Supplier because "PLANKA uses SameSite=Strict cookies, preventing authentication in cross-origin contexts. No session can be established. No credential interception or unauthorized actions are possible. Browser Same-Origin Policy prevents the parent page from accessing iframe content. Clickjacking is not applicable on the login page. Any credential capture would require attacker-controlled input and user interaction equivalent to phishing. The security outcome depends entirely on the user's trust in the parent page. An attacker can achieve the same effect with a fully fake login page. Embedding the legitimate page adds no risk, as browsers do not show URL, certificate, or padlock indicators in cross-origin iframes." | |||||
| CVE-2025-6983 | 2026-04-15 | N/A | N/A | ||
| A Clickjacking vulnerability in TP-Link Archer C1200 web management page allows an attacker to trick users into performing unintended actions via rendered UI layers or frames.This issue affects Archer C1200 <= 1.1.5. | |||||
| CVE-2025-0546 | 2026-04-15 | N/A | 4.7 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Restriction of Rendered UI Layers or Frames vulnerability in Mevzuattr Software MevzuatTR allows Phishing, iFrame Overlay, Clickjacking, Forceful Browsing. This issue needs high privileges. This issue affects MevzuatTR: before 12.02.2025. | |||||
| CVE-2025-0421 | 2026-04-15 | N/A | 4.7 MEDIUM | ||
| Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay.This issue affects Shopside: through 05022025. | |||||
| CVE-2025-13132 | 2026-04-15 | N/A | 7.4 HIGH | ||
| This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.) | |||||
| CVE-2024-10454 | 2026-04-15 | N/A | 6.1 MEDIUM | ||
| Clickjacking vulnerability in Clibo Manager v1.1.9.12 in the '/public/login' directory, a login panel. This vulnerability occurs due to the absence of an X-Frame-Options server-side header. An attacker could overlay a transparent iframe to perform click hijacking on victims. | |||||
| CVE-2024-6466 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| NEC Corporation's WebSAM DeploymentManager v6.0 to v6.80 allows an attacker to reset configurations or restart products via network with X-FRAME-OPTIONS is not specified. | |||||
| CVE-2025-15032 | 2026-04-15 | N/A | 7.4 HIGH | ||
| Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site. | |||||
| CVE-2025-14809 | 2026-04-15 | N/A | 7.4 HIGH | ||
| ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. | |||||
| CVE-2025-6434 | 1 Mozilla | 1 Firefox | 2026-04-13 | N/A | 4.3 MEDIUM |
| The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140 and Thunderbird 140. | |||||
| CVE-2025-5267 | 1 Mozilla | 1 Firefox | 2026-04-13 | N/A | 5.4 MEDIUM |
| A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. | |||||
| CVE-2025-1940 | 1 Mozilla | 1 Firefox | 2026-04-13 | N/A | 7.1 HIGH |
| A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.*. This vulnerability was fixed in Firefox 136. | |||||
| CVE-2025-1019 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-13 | N/A | 4.3 MEDIUM |
| The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135. | |||||
| CVE-2025-1018 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-13 | N/A | 5.3 MEDIUM |
| The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135. | |||||
| CVE-2026-20645 | 1 Apple | 2 Ipados, Iphone Os | 2026-04-02 | N/A | 4.6 MEDIUM |
| An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information. | |||||
| CVE-2024-40817 | 1 Apple | 2 Macos, Safari | 2026-04-02 | N/A | 6.1 MEDIUM |
| The issue was addressed with improved UI handling. This issue is fixed in Safari 17.6, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing. | |||||
| CVE-2025-62328 | 2026-03-12 | N/A | 3.7 LOW | ||
| HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors. | |||||
| CVE-2025-58405 | 1 Cgm | 1 Clininet | 2026-03-09 | N/A | 6.1 MEDIUM |
| The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an attacker can embed the application inside a maliciously crafted IFRAME and trick users into performing unintended actions, including potentially bypassing CSRF/XSRF defenses. | |||||