CWE-451
Allowed-with-ReviewUser Interface (UI) Misrepresentation of Critical Information
Abstraction: Class · Status: Draft
The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.
378 vulnerabilities reference this CWE, most recent first.
GHSA-4HXJ-CQ55-F7PF
Vulnerability from github – Published: 2026-04-09 00:31 – Updated: 2026-04-13 21:30Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-5880"
],
"database_specific": {
"cwe_ids": [
"CWE-451"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T22:16:27Z",
"severity": "MODERATE"
},
"details": "Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-4hxj-cq55-f7pf",
"modified": "2026-04-13T21:30:37Z",
"published": "2026-04-09T00:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5880"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/424995036"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4J3G-RJF3-VG36
Vulnerability from github – Published: 2025-11-10 21:30 – Updated: 2025-11-10 21:30Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2025-12729"
],
"database_specific": {
"cwe_ids": [
"CWE-451"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-10T20:15:40Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-4j3g-rjf3-vg36",
"modified": "2025-11-10T21:30:36Z",
"published": "2025-11-10T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12729"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/454354281"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4JH7-C2VV-7QF2
Vulnerability from github – Published: 2025-04-30 18:31 – Updated: 2025-05-12 18:31Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to potentially trick users into thinking they were on a different webpage This vulnerability affects Focus < 138.
{
"affected": [],
"aliases": [
"CVE-2025-3859"
],
"database_specific": {
"cwe_ids": [
"CWE-451",
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-30T17:15:50Z",
"severity": "MODERATE"
},
"details": "Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to potentially trick users into thinking they were on a different webpage This vulnerability affects Focus \u003c 138.",
"id": "GHSA-4jh7-c2vv-7qf2",
"modified": "2025-05-12T18:31:20Z",
"published": "2025-04-30T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3859"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1951533"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4M82-HW4C-RXFG
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32Microsoft Edge (Chromium-based) Spoofing Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-30055"
],
"database_specific": {
"cwe_ids": [
"CWE-451"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:21:50Z",
"severity": "MODERATE"
},
"details": "Microsoft Edge (Chromium-based) Spoofing Vulnerability",
"id": "GHSA-4m82-hw4c-rxfg",
"modified": "2024-05-14T15:32:54Z",
"published": "2024-05-14T15:32:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30055"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30055"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4Q7G-XW2P-3724
Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-07 01:05Inappropriate implementation in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-7935"
],
"database_specific": {
"cwe_ids": [
"CWE-451"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T19:16:41Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-4q7g-xw2p-3724",
"modified": "2026-05-07T01:05:51Z",
"published": "2026-05-06T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7935"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/489624550"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-535V-MQ2P-6M4M
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-02 03:31Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-13972"
],
"database_specific": {
"cwe_ids": [
"CWE-451"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:10Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-535v-mq2p-6m4m",
"modified": "2026-07-02T03:31:26Z",
"published": "2026-07-01T00:34:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13972"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513792140"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-53GR-WMF4-8HH3
Vulnerability from github – Published: 2026-04-22 18:31 – Updated: 2026-07-06 19:55Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xv5w-cw7x-72gj. This link is maintained to preserve external references.
Original Description
The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "coreutils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-451"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-30T17:52:13Z",
"nvd_published_at": "2026-04-22T17:16:40Z",
"severity": "LOW"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xv5w-cw7x-72gj. This link is maintained to preserve external references.\n\n### Original Description\nThe id utility in uutils coreutils exhibits incorrect behavior in its \"pretty print\" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control.",
"id": "GHSA-53gr-wmf4-8hh3",
"modified": "2026-07-06T19:55:29Z",
"published": "2026-04-22T18:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35371"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/issues/10006"
},
{
"type": "PACKAGE",
"url": "https://github.com/uutils/coreutils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: uutils coreutils\u0027s User Interface (UI) Misrepresents Critical Information",
"withdrawn": "2026-07-06T19:55:29Z"
}
GHSA-547P-JX2R-224G
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 18:31Through a series of popup and window.print() calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
{
"affected": [],
"aliases": [
"CVE-2022-45404"
],
"database_specific": {
"cwe_ids": [
"CWE-451"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "Through a series of popup and \u003ccode\u003ewindow.print()\u003c/code\u003e calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR \u003c 102.5, Thunderbird \u003c 102.5, and Firefox \u003c 107.",
"id": "GHSA-547p-jx2r-224g",
"modified": "2025-04-15T18:31:35Z",
"published": "2022-12-22T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45404"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1790815"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-47"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-48"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-49"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-54JR-PMX4-5PVR
Vulnerability from github – Published: 2025-04-29 15:31 – Updated: 2025-04-29 18:30A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. This bug only affects Firefox for Android. Other versions of Firefox are unaffected. This vulnerability affects Firefox < 138 and Thunderbird < 138.
{
"affected": [],
"aliases": [
"CVE-2025-4086"
],
"database_specific": {
"cwe_ids": [
"CWE-451"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-29T14:15:35Z",
"severity": "MODERATE"
},
"details": "A specially crafted filename containing a large number of encoded newline characters could obscure the file\u0027s extension when displayed in the download dialog.\n*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox \u003c 138 and Thunderbird \u003c 138.",
"id": "GHSA-54jr-pmx4-5pvr",
"modified": "2025-04-29T18:30:57Z",
"published": "2025-04-29T15:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4086"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1945705"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-28"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-593V-V2RV-GQR7
Vulnerability from github – Published: 2026-03-12 00:31 – Updated: 2026-03-12 15:30Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2026-3942"
],
"database_specific": {
"cwe_ids": [
"CWE-451"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T22:16:36Z",
"severity": "MODERATE"
},
"details": "Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)",
"id": "GHSA-593v-v2rv-gqr7",
"modified": "2026-03-12T15:30:25Z",
"published": "2026-03-12T00:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3942"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_10.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/475238879"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Input Validation
Perform data validation (e.g. syntax, length, etc.) before interpreting the data.
Mitigation
Strategy: Output Encoding
Create a strategy for presenting information, and plan for how to display unusual characters.
CAPEC-154: Resource Location Spoofing
An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.
CAPEC-163: Spear Phishing
An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.
CAPEC-164: Mobile Phishing
An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a text or SMS message, rather than email. The user is enticed to provide information or visit a compromised web site via this message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack.
CAPEC-173: Action Spoofing
An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.
CAPEC-98: Phishing
Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.