Loading...
Loading...
191 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
Windows SmartScreen Spoofing Vulnerability
Microsoft Edge (Chromium-based) Spoofing Vulnerability
User interface (ui) misrepresentation of critical information in Microsoft Edge for iOS allows an unauthorized attacker to perform spoofing over a network.
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
The issue was addressed with improved checks. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, watchOS 11.4. Visiting a malicious website may lead to address bar spoofing.
Inappropriate implementation in Custom Tabs in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severit…
Inappropriate implementation in Autofill in Google Chrome prior to 135.0.7049.52 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: …
Inappropriate implementation in Downloads in Google Chrome prior to 135.0.7049.52 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name. This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window.
HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A url could be crafted to the DNN ImageHandler to render text from a querystring parameter. This text would display in the result…
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hov…
Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to potentially trick users into thinking they were on a different webpage. This vulnerability was fixed in Focus…
A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. *This bug only affects Thunderbird for Android. Other versions of Thunderbird ar…
The issue was addressed with improved UI. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6. Visiting a malicious website may lead to address bar spoofing.
The issue was addressed by adding additional logic. This issue is fixed in Safari 26, macOS Tahoe 26. Visiting a malicious website may lead to address bar spoofing.
JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint co…
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2, visionOS 26.2, w…
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2. An app may be able to access sensitive user data.
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.
No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
Microsoft Edge (Chromium-based) Spoofing Vulnerability
User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.
Inappropriate implementation in FileSystemAccess API in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Messages in Google Chrome on Android prior to 137.0.7151.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security…
A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the dis…
User interface (ui) misrepresentation of critical information in Microsoft Edge for iOS allows an unauthorized attacker to perform spoofing over a network.
User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an authorized attacker to perform spoofing over a network.
User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Microsoft Edge (Chromium-based) Spoofing Vulnerability
Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying …
In the address bar, Firefox for Android truncated the display of URLs from the end instead of prioritizing the origin. This vulnerability was fixed in Firefox 141.
Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141.
A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerabilit…
Insufficient validation of untrusted input in Core in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
Inappropriate implementation in Permissions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Spoofing issue in the Address Bar component. This vulnerability was fixed in Firefox 142 and Firefox ESR 140.2.
Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability was fixed in Firefox 142.
Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to explo…
Inappropriate implementation in Toolbar in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium secur…
Inappropriate implementation in Downloads in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
In getCallingAppLabel of CertInstaller.java, there is a possible way to hide a sensitive security dialogue due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges neede…
In multiple locations, there is a possible misleading UI due to obfuscation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In getApplicationLabel of KeyChainActivity.java, there is a possible way to trick the user into approving access to certificates due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional exec…
In getAppLabel of ForgetDeviceDialogFragment.java, there is a possible trick the user into forgetting a device due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges n…
User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.
Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High)
Incorrect security UI in Digital Credentials in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)
Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
EchelonGraph correlates every CVE — across CWE-451 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →