Improper input validation in Apache Cordova Plugin InAppBrowser on iOS allows remote attackers to dispatch arbitrary Cordova callback IDs without validation, potentially leading to remote code execution within the hybrid app context. The issue was disclosed June 7, 2026 via the oss-security mailing list by an Apache contributor and is tagged RCE; no public exploit has been identified at time of analysis and it is not present in CISA KEV. The CVSS 4.0 base score of 9.5 reflects high impact across confidentiality, integrity, and availability of both the vulnerable component and downstream subsequent systems.
RCE
Cordova Inappbrowser
NVD
VulDB
CVSS 4.0
9.5
EPSS
0.1%