GHSA-q42j-x8rq-pjg6
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (CNA) · only source for this CVE.
CVSS VectorVendor
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Description PRE-NVD
AnalysisAI
Improper input validation in Apache Cordova Plugin InAppBrowser on iOS allows remote attackers to dispatch arbitrary Cordova callback IDs without validation, potentially leading to remote code execution within the hybrid app context. The issue was disclosed June 7, 2026 via the oss-security mailing list by an Apache contributor and is tagged RCE; no public exploit has been identified at time of analysis and it is not present in CISA KEV. The CVSS 4.0 base score of 9.5 reflects high impact across confidentiality, integrity, and availability of both the vulnerable component and downstream subsequent systems.
Technical ContextAI
Apache Cordova InAppBrowser is a widely deployed plugin that opens a child web view inside hybrid mobile applications, bridging JavaScript in the embedded page with native iOS code via Cordova's callback ID mechanism. The root cause is CWE-20 (Improper Input Validation): the iOS implementation accepts arbitrary callback IDs from the in-browser content and dispatches them into the native bridge without verifying that the ID belongs to a legitimate, plugin-issued request. Because Cordova's callback registry is shared across plugins, an unvalidated dispatch lets attacker-controlled web content invoke or hijack callbacks intended for other plugin operations within the host application's privileged native context.
RemediationAI
No vendor-released patch version is identified in the supplied intelligence; teams should monitor the Apache advisory thread at https://lists.apache.org/thread/sb539nss3b0545wnyt1pbh7zgwjvz2qq and the oss-security posts at https://www.openwall.com/lists/oss-security/2026/06/07 and https://seclists.org/oss-sec/2026/q2/829 for the fixed release of cordova-plugin-inappbrowser and rebuild iOS app bundles against it as soon as it ships. As compensating controls until then, restrict InAppBrowser navigation to a strict allowlist of trusted origins via the plugin's allow-navigation / allow-intent configuration (trade-off: breaks legitimate third-party links), disable or remove InAppBrowser entirely from screens that load untrusted content and route those flows through SFSafariViewController instead (trade-off: loses JS-bridge functionality), and ensure no sensitive plugins (file, geolocation, contacts, custom native bridges) are loaded in app contexts that can reach attacker-controlled web content (trade-off: reduced feature surface in the hybrid app).
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35041