Skip to main content

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

309 CVEs Avg CVSS 5.9 MITRE
7
CRITICAL
74
HIGH
214
MEDIUM
14
LOW
39
POC
0
KEV

Monthly

CVE-2026-40957 MEDIUM PATCH This Month

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks that can result in administrator credential theft. An attacker who controls a malicious website can embed the login page in a hidden iframe, luring an unwitting administrator to unknowingly submit their credentials into the framed interface. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector indicates active user interaction is required, limiting opportunistic exploitation.

Secure Access XSS
NVD
CVSS 4.0
6.1
CVE-2026-58595 HIGH PATCH Exploit Unlikely This Week

Spoofing in the Microsoft Bing Search app for iOS lets a remote attacker present deceptive or overlaid UI content that misleads the victim, because the app improperly restricts how rendered UI layers or frames are displayed (CWE-1021, a UI-redressing/clickjacking class of flaw). An unauthenticated attacker who lures a user into interacting with attacker-controlled content can manipulate what the user sees and trusts, potentially inducing them to act on falsified information. Microsoft has released a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Apple Microsoft XSS Microsoft Bing Search For Ios
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2026-59791 LOW PATCH Monitor

CSS injection via Mermaid diagram rendering in JetBrains YouTrack before version 2026.2.17012 permits authenticated low-privilege users to embed malicious CSS into diagram content that executes in the browsers of other users who view the affected page. The CVSS score of 3.5 (Low) reflects the dual gating conditions of required authentication and victim interaction, substantially constraining real-world impact to UI manipulation rather than data exfiltration or code execution. No public exploit code or active exploitation has been identified at time of analysis.

XSS Youtrack
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2026-38979 MEDIUM This Month

Clickjacking in Ajenti's browser-facing login and administrative UI through v2.2.13 exposes authenticated administrators to UI redress attacks. The root cause is in ajenti-core/aj/http.py, where the core HTTP response pipeline finalizes responses via WSGI without injecting X-Frame-Options or a Content-Security-Policy frame-ancestors directive, allowing the Ajenti UI to be embedded in attacker-controlled iframes. No active exploitation has been identified - EPSS sits at 0.14% (4th percentile), SSVC exploitation is rated none, and no CISA KEV listing exists - placing this firmly in the low-urgency queue despite its medium CVSS score.

XSS N A
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-14142 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Extensions implementation (all versions prior to 150.0.7871.47) enables a remote attacker - who has already achieved renderer process compromise via a separate exploit - to render deceptive UI elements through a crafted HTML page, potentially misleading users into unintended interactions. The vulnerability carries a CVSS 5.4 Medium score, though Chromium's internal rating is Low, and the EPSS score of 0.18% (8th percentile) reflects minimal exploitation probability. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis.

XSS Google Suse
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-12348 HIGH This Week

Address bar spoofing in The Browser Company's Arc Search for Android allows remote attackers to render attacker-controlled content beneath a legitimate-looking URL in the address bar, enabling high-fidelity phishing against mobile users. The flaw maps to CWE-1021 (improper restriction of rendered UI layers) and carries a CVSS 7.4 due to the integrity impact on user trust decisions, though successful exploitation requires user interaction. No public exploit identified at time of analysis, but a HackerOne report (#3705306) suggests reproducible POC details exist within the disclosure program.

Google XSS Arc Search
NVD
CVSS 3.1
7.4
EPSS
0.4%
CVE-2026-12323 MEDIUM PATCH This Month

Spoofing via CWE-1021 (UI layer restriction failure) in Mozilla Firefox's DOM Core & HTML component allows remote unauthenticated attackers to render deceptive UI content in a victim's browser when they interact with a malicious web page. All Firefox versions prior to 152 are affected. No public exploit has been identified at time of analysis, and CISA SSVC assessment classifies exploitation status as none with partial technical impact, placing real-world urgency below the moderate CVSS score suggests.

Mozilla XSS Suse Red Hat
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-12322 MEDIUM PATCH This Month

Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152.

Mozilla XSS Suse Red Hat
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-10733 MEDIUM PATCH This Month

Denial of service on the GitLab CI/CD Catalog page is achievable by any authenticated user across a broad version range (17.0 through pre-patch releases of 18.10, 18.11, and 19.0) due to improper sanitization of user-supplied content. The low-privilege, network-accessible attack vector means any GitLab account holder can trigger the condition without elevated permissions or complex setup. No public exploit code or CISA KEV listing has been identified at time of analysis, and the limited availability impact (A:L) constrains real-world severity, though the wide version exposure across three concurrent release branches broadens organizational risk.

Gitlab XSS Denial Of Service
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47723 Go HIGH PATCH GHSA This Week

Missing browser security headers in nebula-mesh (Go-based mesh admin platform) through v0.3.0 expose the admin UI and API to clickjacking, MIME-sniffing, referrer leakage, and TLS downgrade attacks. The admin surfaces affected handle high-value operations including CA certificate signing, API key minting, TOTP QR display, and operator management, making framing or MIME confusion attacks materially impactful. No public exploit identified at time of analysis, and the issue was reported by the maintainer with a patch released in v0.3.1.

CSRF XSS
NVD GitHub
EPSS
0.0%
CVSS 6.1
MEDIUM PATCH This Month

Frameable content on the Absolute Secure Access server login page (versions prior to 14.55) enables clickjacking attacks that can result in administrator credential theft. An attacker who controls a malicious website can embed the login page in a hidden iframe, luring an unwitting administrator to unknowingly submit their credentials into the framed interface. No public exploit has been identified at time of analysis, and the CVSS 4.0 vector indicates active user interaction is required, limiting opportunistic exploitation.

Secure Access XSS
NVD
EPSS 0% CVSS 8.1
HIGH PATCH Exploit Unlikely This Week

Spoofing in the Microsoft Bing Search app for iOS lets a remote attacker present deceptive or overlaid UI content that misleads the victim, because the app improperly restricts how rendered UI layers or frames are displayed (CWE-1021, a UI-redressing/clickjacking class of flaw). An unauthenticated attacker who lures a user into interacting with attacker-controlled content can manipulate what the user sees and trusts, potentially inducing them to act on falsified information. Microsoft has released a fix; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Apple Microsoft XSS +1
NVD
EPSS 0% CVSS 3.5
LOW PATCH Monitor

CSS injection via Mermaid diagram rendering in JetBrains YouTrack before version 2026.2.17012 permits authenticated low-privilege users to embed malicious CSS into diagram content that executes in the browsers of other users who view the affected page. The CVSS score of 3.5 (Low) reflects the dual gating conditions of required authentication and victim interaction, substantially constraining real-world impact to UI manipulation rather than data exfiltration or code execution. No public exploit code or active exploitation has been identified at time of analysis.

XSS Youtrack
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Clickjacking in Ajenti's browser-facing login and administrative UI through v2.2.13 exposes authenticated administrators to UI redress attacks. The root cause is in ajenti-core/aj/http.py, where the core HTTP response pipeline finalizes responses via WSGI without injecting X-Frame-Options or a Content-Security-Policy frame-ancestors directive, allowing the Ajenti UI to be embedded in attacker-controlled iframes. No active exploitation has been identified - EPSS sits at 0.14% (4th percentile), SSVC exploitation is rated none, and no CISA KEV listing exists - placing this firmly in the low-urgency queue despite its medium CVSS score.

XSS N A
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Extensions implementation (all versions prior to 150.0.7871.47) enables a remote attacker - who has already achieved renderer process compromise via a separate exploit - to render deceptive UI elements through a crafted HTML page, potentially misleading users into unintended interactions. The vulnerability carries a CVSS 5.4 Medium score, though Chromium's internal rating is Low, and the EPSS score of 0.18% (8th percentile) reflects minimal exploitation probability. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis.

XSS Google Suse
NVD
EPSS 0% CVSS 7.4
HIGH This Week

Address bar spoofing in The Browser Company's Arc Search for Android allows remote attackers to render attacker-controlled content beneath a legitimate-looking URL in the address bar, enabling high-fidelity phishing against mobile users. The flaw maps to CWE-1021 (improper restriction of rendered UI layers) and carries a CVSS 7.4 due to the integrity impact on user trust decisions, though successful exploitation requires user interaction. No public exploit identified at time of analysis, but a HackerOne report (#3705306) suggests reproducible POC details exist within the disclosure program.

Google XSS Arc Search
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Spoofing via CWE-1021 (UI layer restriction failure) in Mozilla Firefox's DOM Core & HTML component allows remote unauthenticated attackers to render deceptive UI content in a victim's browser when they interact with a malicious web page. All Firefox versions prior to 152 are affected. No public exploit has been identified at time of analysis, and CISA SSVC assessment classifies exploitation status as none with partial technical impact, placing real-world urgency below the moderate CVSS score suggests.

Mozilla XSS Suse +1
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152.

Mozilla XSS Suse +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Denial of service on the GitLab CI/CD Catalog page is achievable by any authenticated user across a broad version range (17.0 through pre-patch releases of 18.10, 18.11, and 19.0) due to improper sanitization of user-supplied content. The low-privilege, network-accessible attack vector means any GitLab account holder can trigger the condition without elevated permissions or complex setup. No public exploit code or CISA KEV listing has been identified at time of analysis, and the limited availability impact (A:L) constrains real-world severity, though the wide version exposure across three concurrent release branches broadens organizational risk.

Gitlab XSS Denial Of Service
NVD
EPSS 0%
HIGH PATCH This Week

Missing browser security headers in nebula-mesh (Go-based mesh admin platform) through v0.3.0 expose the admin UI and API to clickjacking, MIME-sniffing, referrer leakage, and TLS downgrade attacks. The admin surfaces affected handle high-value operations including CA certificate signing, API key minting, TOTP QR display, and operator management, making framing or MIME confusion attacks materially impactful. No public exploit identified at time of analysis, and the issue was reported by the maintainer with a patch released in v0.3.1.

CSRF XSS
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy