Common Weakness Enumeration

CWE-451

Allowed-with-Review

User Interface (UI) Misrepresentation of Critical Information

Abstraction: Class · Status: Draft

The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

378 vulnerabilities reference this CWE, most recent first.

GHSA-JF6G-R5J3-QF84

Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 18:31
VLAI
Details

Inappropriate implementation in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform UI spoofing via a malicious file. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T23:17:23Z",
    "severity": "HIGH"
  },
  "details": "Inappropriate implementation in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform UI spoofing via a malicious file. (Chromium security severity: Low)",
  "id": "GHSA-jf6g-r5j3-qf84",
  "modified": "2026-07-01T18:31:40Z",
  "published": "2026-07-01T00:34:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14114"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/513743129"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JGCH-4H46-4Q53

Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 18:31
VLAI
Details

Inappropriate implementation in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1021",
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T23:17:25Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)",
  "id": "GHSA-jgch-4h46-4q53",
  "modified": "2026-07-01T18:31:41Z",
  "published": "2026-07-01T00:34:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14142"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/514073460"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JGP7-M5H4-GF5P

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 15:32
VLAI
Details

Inappropriate implementation in File Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:17:30Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in File Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)",
  "id": "GHSA-jgp7-m5h4-gf5p",
  "modified": "2026-06-05T15:32:19Z",
  "published": "2026-06-05T00:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11228"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/454484864"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JJRW-XPW9-V3QH

Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2022-09-28 00:00
VLAI
Details

The issue was addressed with improved UI handling. This issue is fixed in watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5. Visiting a website that frames malicious content may lead to UI spoofing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-23T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The issue was addressed with improved UI handling. This issue is fixed in watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5. Visiting a website that frames malicious content may lead to UI spoofing.",
  "id": "GHSA-jjrw-xpw9-v3qh",
  "modified": "2022-09-28T00:00:20Z",
  "published": "2022-09-25T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32816"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213340"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213342"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213345"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213346"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JM5G-9RWJ-6FH6

Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 18:31
VLAI
Details

Insufficient validation of untrusted input in Autofill in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13995"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T23:17:12Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient validation of untrusted input in Autofill in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-jm5g-9rwj-6fh6",
  "modified": "2026-07-01T18:31:34Z",
  "published": "2026-07-01T00:34:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13995"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/514067524"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JP9X-52HW-X955

Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 18:31
VLAI
Details

Inappropriate implementation in Select in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T23:17:19Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in Select in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)",
  "id": "GHSA-jp9x-52hw-x955",
  "modified": "2026-07-01T18:31:38Z",
  "published": "2026-07-01T00:34:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14077"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/511869411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JV4P-CJWP-G497

Vulnerability from github – Published: 2026-05-12 03:31 – Updated: 2026-05-12 03:31
VLAI
Details

SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-34258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-12T03:16:11Z",
    "severity": "MODERATE"
  },
  "details": "SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.",
  "id": "GHSA-jv4p-cjwp-g497",
  "modified": "2026-05-12T03:31:26Z",
  "published": "2026-05-12T03:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34258"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3726583"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JWV5-943C-F5WH

Vulnerability from github – Published: 2026-02-16 15:32 – Updated: 2026-02-17 15:31
VLAI
Details

Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability affects Firefox for iOS < 147.2.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-16T15:18:34Z",
    "severity": "MODERATE"
  },
  "details": "Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability affects Firefox for iOS \u003c 147.2.1.",
  "id": "GHSA-jwv5-943c-f5wh",
  "modified": "2026-02-17T15:31:34Z",
  "published": "2026-02-16T15:32:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2032"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2012152"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M3CX-VC9Q-88C3

Vulnerability from github – Published: 2023-05-31 00:31 – Updated: 2023-11-25 12:30
VLAI
Details

Inappropriate implementation in Picture In Picture in Google Chrome prior to 114.0.5735.90 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2937"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-30T22:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in Picture In Picture in Google Chrome prior to 114.0.5735.90 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-m3cx-vc9q-88c3",
  "modified": "2023-11-25T12:30:22Z",
  "published": "2023-05-31T00:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2937"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2023/05/stable-channel-update-for-desktop_30.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1413813"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202311-11"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-34"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5418"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M3R7-8GW7-QWVC

Vulnerability from github – Published: 2024-12-13 20:36 – Updated: 2025-08-14 22:16
VLAI
Summary
thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames
Details

Summary

A vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an element without user interaction or explicit consent.

Details

In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as "source code", pointing to a prior "malicious" attachment that the attacker has uploaded via FAQ "new attachment" upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions). image

PoC

  1. create a new FAQ record and upload a "malicious" file - in my case, I uploaded an eicar file. take note of the uri, ie

    <iframe "index.php?action=attachment&id=2" image

  2. in the FAQ record, insert a "source code" blob using the "< >" button

  3. insert in the following snippet:

    and save FAQ record
  4. once the edit page reloads, the malicious code will be downloaded onto the local machine without user interaction: image

(uploaded a POC for easy demonstration: https://roy.demo.phpmyfaq.de/admin/index.php?action=editentry&id=20&lang=en although a fresh installation overwrites this demo instance every 24 hours)

(as a logged in normal user, visit: https://roy.demo.phpmyfaq.de/content/1/20/en/20.html)

Impact

Malicious code or binaries could be dropped on visitors' machines when visiting the FAQ platform. Take a worm or ransomware for instance.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-451"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-13T20:36:08Z",
    "nvd_published_at": "2024-12-13T14:15:22Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim\u0027s machine upon page visit by embedding it in an \u003ciframe\u003e element without user interaction or explicit consent. \n\n### Details\nIn http://localhost/admin/index.php?action=editentry\u0026id=20\u0026lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as \"source code\", pointing to a prior \"malicious\" attachment that the attacker has uploaded via FAQ \"new attachment\" upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions).\n![image](https://github.com/user-attachments/assets/74fee719-1eea-4bcb-9c7d-da0c5045c74b)\n\n### PoC\n\n1. create a new FAQ record and upload a \"malicious\" file - in my case, I uploaded an eicar file. take note of the uri, ie \u003cp\u003e\u003ciframe \"index.php?action=attachment\u0026amp;id=2\"\n![image](https://github.com/user-attachments/assets/06072ef6-9311-423a-a735-1d6a3274cde8)\n\n3. in the FAQ record, insert a \"source code\" blob using the \"\u003c \u003e\" button\n4. insert in the following snippet: \u003cp\u003e\u003ciframe src=\"index.php?action=attachment\u0026amp;id=2\"\u003e\u003c/iframe\u003e\u003c/p\u003e and save FAQ record\n5. once the edit page reloads, the malicious code will be downloaded onto the local machine without user interaction:\n![image](https://github.com/user-attachments/assets/b10e137f-de01-4268-8f9c-0b440ae45349)\n\n(uploaded a POC for easy demonstration: https://roy.demo.phpmyfaq.de/admin/index.php?action=editentry\u0026id=20\u0026lang=en\nalthough a fresh installation overwrites this demo instance every 24 hours)\n\n(as a logged in normal user, visit: https://roy.demo.phpmyfaq.de/content/1/20/en/20.html)\n\n### Impact\nMalicious code or binaries could be dropped on visitors\u0027 machines when visiting the FAQ platform. Take a worm or ransomware for instance.",
  "id": "GHSA-m3r7-8gw7-qwvc",
  "modified": "2025-08-14T22:16:40Z",
  "published": "2024-12-13T20:36:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/commit/fa0f7368dc3288eedb1915def64ef8fb270f711d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "thorsten/phpmyfaq Unintended File Download Triggered by Embedded Frames"
}

Mitigation
Implementation

Strategy: Input Validation

Perform data validation (e.g. syntax, length, etc.) before interpreting the data.

Mitigation
Architecture and Design

Strategy: Output Encoding

Create a strategy for presenting information, and plan for how to display unusual characters.

CAPEC-154: Resource Location Spoofing

An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.

CAPEC-163: Spear Phishing

An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.

CAPEC-164: Mobile Phishing

An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a text or SMS message, rather than email. The user is enticed to provide information or visit a compromised web site via this message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack.

CAPEC-173: Action Spoofing

An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.

CAPEC-98: Phishing

Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.