Monthly
Microsoft Edge (Chromium-based) contains a defense-in-depth vulnerability affecting all versions that allows remote attackers to disclose sensitive information and modify data through a network-based attack requiring user interaction. The vulnerability carries a CVSS score of 4.2 (low severity) with high attack complexity, indicating limited real-world exploitability despite dual confidentiality and integrity impacts. A vendor-released patch is available from Microsoft.
ArcSearch for Android versions prior to 1.12.7 contains an address bar spoofing vulnerability that allows attackers to display a different domain in the browser's address bar than the actual content being rendered. Users of ArcSearch for Android prior to version 1.12.7 are affected, and an attacker can craft malicious web content that, after user interaction, deceives users into believing they are visiting a legitimate domain while viewing attacker-controlled content. There is no indication of active exploitation in KEV data, and EPSS data is not provided.
HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors. [CVSS 3.7 LOW]
Android versions up to 14.0 is affected by improper restriction of rendered ui layers or frames (CVSS 8.6).
The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. [CVSS 6.1 MEDIUM]
Tenda F3 Wireless Router firmware V12.01.01.55_multi lacks clickjacking protections in its web administrative interface, enabling attackers to embed configuration pages in iframes and manipulate authenticated administrators into making unauthorized changes. Public exploit code exists for this vulnerability, affecting administrators who access the router's management interface. While the impact is limited to configuration tampering rather than direct compromise, the lack of available patches leaves affected devices vulnerable.
Xwiki versions up to 17.9.0 is affected by improper restriction of rendered ui layers or frames (CVSS 6.1).
Information disclosure on locked iOS and iPadOS devices stems from improper UI state management, allowing an attacker with physical device access to view sensitive user data. The vulnerability affects multiple Apple mobile OS versions and currently lacks a public patch, though fixes are available in iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5.
Dokploy versions up to 0.26.6 is affected by improper restriction of rendered ui layers or frames (CVSS 4.7).
WeGIA prior to version 3.6.2 lacks framing protection headers (X-Frame-Options and Content-Security-Policy), allowing attackers to perform clickjacking attacks by embedding the application within malicious web pages to trick users into unintended actions. Public exploit code exists for this vulnerability, affecting charitable institutions using vulnerable versions of the web manager.
Microsoft Edge (Chromium-based) contains a defense-in-depth vulnerability affecting all versions that allows remote attackers to disclose sensitive information and modify data through a network-based attack requiring user interaction. The vulnerability carries a CVSS score of 4.2 (low severity) with high attack complexity, indicating limited real-world exploitability despite dual confidentiality and integrity impacts. A vendor-released patch is available from Microsoft.
ArcSearch for Android versions prior to 1.12.7 contains an address bar spoofing vulnerability that allows attackers to display a different domain in the browser's address bar than the actual content being rendered. Users of ArcSearch for Android prior to version 1.12.7 are affected, and an attacker can craft malicious web content that, after user interaction, deceives users into believing they are visiting a legitimate domain while viewing attacker-controlled content. There is no indication of active exploitation in KEV data, and EPSS data is not provided.
HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors. [CVSS 3.7 LOW]
Android versions up to 14.0 is affected by improper restriction of rendered ui layers or frames (CVSS 8.6).
The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. [CVSS 6.1 MEDIUM]
Tenda F3 Wireless Router firmware V12.01.01.55_multi lacks clickjacking protections in its web administrative interface, enabling attackers to embed configuration pages in iframes and manipulate authenticated administrators into making unauthorized changes. Public exploit code exists for this vulnerability, affecting administrators who access the router's management interface. While the impact is limited to configuration tampering rather than direct compromise, the lack of available patches leaves affected devices vulnerable.
Xwiki versions up to 17.9.0 is affected by improper restriction of rendered ui layers or frames (CVSS 6.1).
Information disclosure on locked iOS and iPadOS devices stems from improper UI state management, allowing an attacker with physical device access to view sensitive user data. The vulnerability affects multiple Apple mobile OS versions and currently lacks a public patch, though fixes are available in iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5.
Dokploy versions up to 0.26.6 is affected by improper restriction of rendered ui layers or frames (CVSS 4.7).
WeGIA prior to version 3.6.2 lacks framing protection headers (X-Frame-Options and Content-Security-Policy), allowing attackers to perform clickjacking attacks by embedding the application within malicious web pages to trick users into unintended actions. Public exploit code exists for this vulnerability, affecting charitable institutions using vulnerable versions of the web manager.