Skip to main content

Cordova InAppBrowser EUVDEUVD-2026-35041

| CVE-2026-47430 CRITICAL
Improper Input Validation (CWE-20)
9.5
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
9.5 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (CNA) · only source for this CVE.

CVSS VectorVendor

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 08, 2026 - 12:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 08, 2026 - 12:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 08, 2026 - 12:22 vuln.today
cvss_changed
CVSS changed
Jun 08, 2026 - 12:22 NVD
9.5 (CRITICAL)
Analysis Generated
Jun 07, 2026 - 12:45 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Improper input validation in Apache Cordova Plugin InAppBrowser on iOS allows remote attackers to dispatch arbitrary Cordova callback IDs without validation, potentially leading to remote code execution within the hybrid app context. The issue was disclosed June 7, 2026 via the oss-security mailing list by an Apache contributor and is tagged RCE; no public exploit has been identified at time of analysis and it is not present in CISA KEV. The CVSS 4.0 base score of 9.5 reflects high impact across confidentiality, integrity, and availability of both the vulnerable component and downstream subsequent systems.

Technical ContextAI

Apache Cordova InAppBrowser is a widely deployed plugin that opens a child web view inside hybrid mobile applications, bridging JavaScript in the embedded page with native iOS code via Cordova's callback ID mechanism. The root cause is CWE-20 (Improper Input Validation): the iOS implementation accepts arbitrary callback IDs from the in-browser content and dispatches them into the native bridge without verifying that the ID belongs to a legitimate, plugin-issued request. Because Cordova's callback registry is shared across plugins, an unvalidated dispatch lets attacker-controlled web content invoke or hijack callbacks intended for other plugin operations within the host application's privileged native context.

RemediationAI

No vendor-released patch version is identified in the supplied intelligence; teams should monitor the Apache advisory thread at https://lists.apache.org/thread/sb539nss3b0545wnyt1pbh7zgwjvz2qq and the oss-security posts at https://www.openwall.com/lists/oss-security/2026/06/07 and https://seclists.org/oss-sec/2026/q2/829 for the fixed release of cordova-plugin-inappbrowser and rebuild iOS app bundles against it as soon as it ships. As compensating controls until then, restrict InAppBrowser navigation to a strict allowlist of trusted origins via the plugin's allow-navigation / allow-intent configuration (trade-off: breaks legitimate third-party links), disable or remove InAppBrowser entirely from screens that load untrusted content and route those flows through SFSafariViewController instead (trade-off: loses JS-bridge functionality), and ensure no sensitive plugins (file, geolocation, contacts, custom native bridges) are loaded in app contexts that can reach attacker-controlled web content (trade-off: reduced feature surface in the hybrid app).

Share

EUVD-2026-35041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy