Skip to main content

CWE-451

User Interface (UI) Misrepresentation of Critical Information

274 CVEs Avg CVSS 5.3 MITRE
4
CRITICAL
28
HIGH
229
MEDIUM
13
LOW
22
POC
2
KEV

Monthly

CVE-2026-45150 MEDIUM PATCH This Month

Fullscreen mode in Zen Browser desktop prior to 1.19.13b exposes users to credential-theft phishing by failing to display a persistent, visible security notification when a webpage enters fullscreen. An attacker-controlled page can completely occlude the real browser chrome - including the address bar and origin indicators - then render a convincing imitation of a trusted site's login interface. When combined with long-domain URL eliding, this allows precise origin spoofing; no public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.3 reflects high subsequent-system integrity and confidentiality impacts despite the attack requiring user interaction.

Mozilla Information Disclosure Desktop
NVD GitHub
CVSS 4.0
6.3
CVE-2026-13356 MEDIUM This Month

Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. No public exploit code has been identified and EPSS is 0.15% (4th percentile), indicating no observed widespread exploitation; however, the technique is conceptually simple and phishing value is high.

Apple Mozilla Information Disclosure
NVD VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-45488 MEDIUM PATCH This Month

UI misrepresentation in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled web content. The browser fails to accurately present critical security information - such as origin indicators, security status, or authentication prompts - allowing an unauthenticated remote attacker to deceive victims into believing they are interacting with a trusted source. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and a vendor patch is available.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-14381 MEDIUM PATCH This Month

UI spoofing in Google Chrome's WebAppInstalls component (versions prior to 150.0.7871.46) enables remote attackers to misrepresent security indicators during Progressive Web App installation prompts via a crafted HTML page. The incorrect security UI (CWE-451) can deceive users into believing they are installing a legitimate, trusted application when they are not, resulting in a low-integrity impact. EPSS is 0.18% (8th percentile), no public exploit code exists, and this vulnerability has not been added to CISA KEV, indicating minimal active exploitation risk at time of analysis.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14410 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.46) allows a remote attacker who has already compromised the renderer process to mislead users through a crafted HTML page. The attack requires renderer process compromise as a prerequisite, making this a chained exploit component rather than a standalone threat. EPSS at 0.18% (8th percentile) and absence from CISA KEV confirm no known active exploitation; Chromium's own team rated this Low severity.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14404 MEDIUM PATCH This Month

UI spoofing via a crafted PDF file in Google Chrome's PDFium rendering engine allows a remote, unauthenticated attacker to visually mislead users into performing unintended actions or trusting falsified content. All Chrome versions prior to 150.0.7871.46 are affected. Exploitation requires the victim to open a malicious PDF - no special configuration is needed beyond default Chrome behavior. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact.

Information Disclosure Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14154 MEDIUM PATCH This Month

UI spoofing in Google Chrome's DevTools component allows an attacker to misrepresent critical interface information to users who have been socially engineered into installing a malicious Chrome Extension. Affected versions are all Chrome releases prior to 150.0.7871.47. The flaw stems from an inappropriate implementation (CWE-451) in DevTools, enabling an extension to manipulate how DevTools renders UI elements - potentially deceiving developers or power users into trusting falsified debugging output or security indicators. No public exploit code has been identified at time of analysis, and this vulnerability is not in the CISA KEV catalog.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-14153 MEDIUM PATCH This Month

UI spoofing in the Glic component of Google Chrome (all versions prior to 150.0.7871.47) enables a remote attacker to misrepresent browser interface elements via a crafted HTML page, provided the victim is socially engineered into performing specific UI gestures. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) assigns high confidentiality impact, suggesting the spoofed UI can be leveraged to elicit disclosure of sensitive information such as credentials or session data. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Information Disclosure Google Suse
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-14144 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Views component (versions prior to 150.0.7871.47) allows a remote attacker to misrepresent security-critical browser interface elements through a crafted HTML page. Exploitation requires convincing a target user to perform specific UI gestures, making the attack conditional on social engineering. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog; Google has released a patch as part of the stable channel update.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-14143 MEDIUM PATCH This Month

Incorrect security UI in Passwords in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Information Disclosure Apple Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVSS 6.3
MEDIUM PATCH This Month

Fullscreen mode in Zen Browser desktop prior to 1.19.13b exposes users to credential-theft phishing by failing to display a persistent, visible security notification when a webpage enters fullscreen. An attacker-controlled page can completely occlude the real browser chrome - including the address bar and origin indicators - then render a convincing imitation of a trusted site's login interface. When combined with long-domain URL eliding, this allows precise origin spoofing; no public exploit has been identified at time of analysis, and the CVSS 4.0 score of 6.3 reflects high subsequent-system integrity and confidentiality impacts despite the attack requiring user interaction.

Mozilla Information Disclosure Desktop
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

Address bar spoofing in Firefox for iOS allows a remote unauthenticated attacker to display a trusted origin in the browser's address bar while the victim views and interacts with fully attacker-controlled content - a classic and effective phishing enabler. The attack exploits a race condition in navigation handling: a malicious page enqueues a synchronous JavaScript dialog at the moment a user navigates away, freezing the address bar on the destination's legitimate origin while the malicious page's content continues to render. No public exploit code has been identified and EPSS is 0.15% (4th percentile), indicating no observed widespread exploitation; however, the technique is conceptually simple and phishing value is high.

Apple Mozilla Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

UI misrepresentation in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled web content. The browser fails to accurately present critical security information - such as origin indicators, security status, or authentication prompts - allowing an unauthenticated remote attacker to deceive victims into believing they are interacting with a trusted source. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and a vendor patch is available.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing in Google Chrome's WebAppInstalls component (versions prior to 150.0.7871.46) enables remote attackers to misrepresent security indicators during Progressive Web App installation prompts via a crafted HTML page. The incorrect security UI (CWE-451) can deceive users into believing they are installing a legitimate, trusted application when they are not, resulting in a low-integrity impact. EPSS is 0.18% (8th percentile), no public exploit code exists, and this vulnerability has not been added to CISA KEV, indicating minimal active exploitation risk at time of analysis.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.46) allows a remote attacker who has already compromised the renderer process to mislead users through a crafted HTML page. The attack requires renderer process compromise as a prerequisite, making this a chained exploit component rather than a standalone threat. EPSS at 0.18% (8th percentile) and absence from CISA KEV confirm no known active exploitation; Chromium's own team rated this Low severity.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing via a crafted PDF file in Google Chrome's PDFium rendering engine allows a remote, unauthenticated attacker to visually mislead users into performing unintended actions or trusting falsified content. All Chrome versions prior to 150.0.7871.46 are affected. Exploitation requires the victim to open a malicious PDF - no special configuration is needed beyond default Chrome behavior. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

UI spoofing in Google Chrome's DevTools component allows an attacker to misrepresent critical interface information to users who have been socially engineered into installing a malicious Chrome Extension. Affected versions are all Chrome releases prior to 150.0.7871.47. The flaw stems from an inappropriate implementation (CWE-451) in DevTools, enabling an extension to manipulate how DevTools renders UI elements - potentially deceiving developers or power users into trusting falsified debugging output or security indicators. No public exploit code has been identified at time of analysis, and this vulnerability is not in the CISA KEV catalog.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

UI spoofing in the Glic component of Google Chrome (all versions prior to 150.0.7871.47) enables a remote attacker to misrepresent browser interface elements via a crafted HTML page, provided the victim is socially engineered into performing specific UI gestures. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) assigns high confidentiality impact, suggesting the spoofed UI can be leveraged to elicit disclosure of sensitive information such as credentials or session data. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Views component (versions prior to 150.0.7871.47) allows a remote attacker to misrepresent security-critical browser interface elements through a crafted HTML page. Exploitation requires convincing a target user to perform specific UI gestures, making the attack conditional on social engineering. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog; Google has released a patch as part of the stable channel update.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect security UI in Passwords in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Information Disclosure Apple Google +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy