Skip to main content

CWE-357

Insufficient UI Warning of Dangerous Operations

18 CVEs Avg CVSS 5.9 MITRE
0
CRITICAL
7
HIGH
10
MEDIUM
1
LOW
3
POC
0
KEV

Monthly

CVE-2026-58597 MEDIUM PATCH This Month

Insufficient UI warning of dangerous operations in Microsoft Edge (Chromium-based) before version 150.0.4078.48 enables network-based spoofing attacks against users who interact with adversary-controlled content. Per the CVSS vector (PR:N, UI:R), an unauthenticated remote attacker can exploit this flaw without any privileges, but requires the victim to interact with the browser during the attack. No public exploit identified at time of analysis; the Medium CVSS score of 4.3 and confidentiality-only impact (C:L) reflect a bounded but real risk primarily useful for phishing, credential harvesting, or identity spoofing scenarios.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-47782 MEDIUM This Month

Silent file download in RoboForm Password Manager for Android (Siber Systems, Inc.) can be triggered by a co-installed malicious application delivering a crafted Android Intent containing an attacker-controlled URL. RoboForm fails to validate the URL destination, request user confirmation, or surface any notification before fetching and writing remote content to the device. Reported by JPCERT (JVNVU93461473) with no CISA KEV listing and no public exploit identified at time of analysis, placing this in a moderate-low real-world risk category despite the sensitive nature of the affected product - a password manager.

Information Disclosure Google
NVD
CVSS 4.0
4.6
EPSS
0.0%
CVE-2026-26151 HIGH PATCH Exploit Likely This Week

Windows Remote Desktop spoofing vulnerability allows remote unauthenticated attackers to bypass security warnings and trick users into accepting malicious RDP connections, potentially exposing sensitive session data. Affects all supported Windows 10, 11, and Server versions from 2012 through 2025. Vendor-released patches are available. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and network attack vector (AV:N) indicate exploitation would be straight

Authentication Bypass Microsoft
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-47967 MEDIUM Monitor

Insufficient ui warning of dangerous operations in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Google Microsoft Edge Android
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2025-33054 HIGH PATCH This Week

A security vulnerability in Insufficient UI warning of dangerous operations in Remote Desktop Client (CVSS 8.1) that allows an unauthorized attacker. High severity vulnerability requiring prompt remediation.

Authentication Bypass Windows 11 24h2 Windows Server 2025 Windows 11 22h2 Windows 11 23h2 +1
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49587 Maven HIGH POC PATCH This Week

Stored XSS vulnerability in XWiki affecting versions before 15.10.16, 16.4.7, and 16.10.2. An unprivileged user can inject malicious content into the NotificationDisplayerClass object of a document, which is then rendered as raw HTML when an administrator edits and saves the document, enabling XSS attacks with high integrity and confidentiality impact. The vulnerability requires low attack complexity and user interaction (admin action), with a CVSS score of 8.0 indicating significant real-world risk.

XSS Xwiki
NVD GitHub
CVSS 3.1
8.0
EPSS
0.3%
CVE-2025-49585 Maven HIGH POC PATCH This Week

A security vulnerability in versions (CVSS 8.0). Risk factors: public PoC available. Vendor patch is available.

RCE Privilege Escalation Code Injection Xwiki
NVD GitHub
CVSS 3.1
8.0
EPSS
0.3%
CVE-2025-49582 Maven HIGH POC PATCH This Week

XWiki's macro rights analyzer introduced in version 15.9RC1 contains incomplete validation that allows attackers to hide malicious script macros (Groovy, Python) by exploiting non-lowercase parameter handling and unanalyzed macro parameters. An authenticated attacker with limited privileges can inject hidden malicious macros that execute when a higher-privileged user edits the page, enabling remote code execution. This vulnerability affects XWiki versions 15.9RC1 through 16.4.6, 16.10.0-16.10.2, and 16.x-17.0.0-rc1, with patches available in versions 16.4.7, 16.10.3, and 17.0.0.

Python RCE Xwiki
NVD GitHub
CVSS 3.1
8.0
EPSS
0.6%
CVE-2024-49054 MEDIUM This Month

Microsoft Edge (Chromium-based) Spoofing Vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Microsoft Edge Chromium
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2024-43580 MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) Spoofing Vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Google Microsoft Edge Chromium
NVD
CVSS 3.1
5.4
EPSS
0.4%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Insufficient UI warning of dangerous operations in Microsoft Edge (Chromium-based) before version 150.0.4078.48 enables network-based spoofing attacks against users who interact with adversary-controlled content. Per the CVSS vector (PR:N, UI:R), an unauthenticated remote attacker can exploit this flaw without any privileges, but requires the victim to interact with the browser during the attack. No public exploit identified at time of analysis; the Medium CVSS score of 4.3 and confidentiality-only impact (C:L) reflect a bounded but real risk primarily useful for phishing, credential harvesting, or identity spoofing scenarios.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Silent file download in RoboForm Password Manager for Android (Siber Systems, Inc.) can be triggered by a co-installed malicious application delivering a crafted Android Intent containing an attacker-controlled URL. RoboForm fails to validate the URL destination, request user confirmation, or surface any notification before fetching and writing remote content to the device. Reported by JPCERT (JVNVU93461473) with no CISA KEV listing and no public exploit identified at time of analysis, placing this in a moderate-low real-world risk category despite the sensitive nature of the affected product - a password manager.

Information Disclosure Google
NVD
EPSS 0% CVSS 7.1
HIGH PATCH Exploit Likely This Week

Windows Remote Desktop spoofing vulnerability allows remote unauthenticated attackers to bypass security warnings and trick users into accepting malicious RDP connections, potentially exposing sensitive session data. Affects all supported Windows 10, 11, and Server versions from 2012 through 2025. Vendor-released patches are available. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and network attack vector (AV:N) indicate exploitation would be straight

Authentication Bypass Microsoft
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM Monitor

Insufficient ui warning of dangerous operations in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Google Microsoft +2
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

A security vulnerability in Insufficient UI warning of dangerous operations in Remote Desktop Client (CVSS 8.1) that allows an unauthorized attacker. High severity vulnerability requiring prompt remediation.

Authentication Bypass Windows 11 24h2 Windows Server 2025 +3
NVD
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

Stored XSS vulnerability in XWiki affecting versions before 15.10.16, 16.4.7, and 16.10.2. An unprivileged user can inject malicious content into the NotificationDisplayerClass object of a document, which is then rendered as raw HTML when an administrator edits and saves the document, enabling XSS attacks with high integrity and confidentiality impact. The vulnerability requires low attack complexity and user interaction (admin action), with a CVSS score of 8.0 indicating significant real-world risk.

XSS Xwiki
NVD GitHub
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

A security vulnerability in versions (CVSS 8.0). Risk factors: public PoC available. Vendor patch is available.

RCE Privilege Escalation Code Injection +1
NVD GitHub
EPSS 1% CVSS 8.0
HIGH POC PATCH This Week

XWiki's macro rights analyzer introduced in version 15.9RC1 contains incomplete validation that allows attackers to hide malicious script macros (Groovy, Python) by exploiting non-lowercase parameter handling and unanalyzed macro parameters. An authenticated attacker with limited privileges can inject hidden malicious macros that execute when a higher-privileged user edits the page, enabling remote code execution. This vulnerability affects XWiki versions 15.9RC1 through 16.4.6, 16.10.0-16.10.2, and 16.x-17.0.0-rc1, with patches available in versions 16.4.7, 16.10.3, and 17.0.0.

Python RCE Xwiki
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM This Month

Microsoft Edge (Chromium-based) Spoofing Vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Microsoft +1
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) Spoofing Vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Google Microsoft +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy