CWE-1021

Improper Restriction of Rendered UI Layers or Frames

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.

388 vulnerabilities with CWE-1021
CVE-2026-10733 MEDIUM
Improper Restriction of Rendered UI Layers or Frames in GitLab
CVSS 4.3
CVE-2026-28577 HIGH
Google Android - Improper Restriction of Rendered UI Layers or Frames
CVSS 7.8
CVE-2026-0061 MEDIUM
Android 14-16 WindowState - Tapjacking Privilege Escalation
CVSS 5.9
CVE-2026-0036 HIGH
Android 14-16 StageCoordinator - Tapjacking Privilege Escalation
CVSS 7.8
CVE-2026-21785 MEDIUM
HCL BigFix Remote Control Server WebUI is affected by a misconfigured Content Security Policy
CVSS 4.0
CVE-2026-9396 LOW
Besen BS20 EV Charging Station Firmware Version Check ui layer
CVSS 3.7
CVE-2026-37470 HIGH
ClipBucket v5 v.5.5.2 - Remote Code Execution via Authentication Interface
CVSS 7.3
CVE-2026-42502 MEDIUM
Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html
CVSS 6.1
CVE-2026-27136 MEDIUM
Invoking duplicate attributes can cause XSS in golang.org/x/net/html
CVSS 6.1
CVE-2026-25681 MEDIUM
Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html
CVSS 6.1
CVE-2026-28971 MEDIUM
iOS and iPadOS < 26.5 - UI Layer Restriction Bypass via Malicious Iframe
CVSS 4.3
CVE-2026-8022 LOW
Google Chrome < 148.0.7778.96 - Cross-Origin Data Leak via MHTML
CVSS 3.1
CVE-2026-3254 LOW
Improper Restriction of Rendered UI Layers or Frames in GitLab
CVSS 3.5
CVE-2026-2378 HIGH
Address bar spoofing risk in ArcSearch on Android
CVSS 7.4
CVE-2026-0007 HIGH
WindowInfo.cpp - Privilege Escalation
CVSS 8.6
CVE-2026-27511 MEDIUM
Shenzhen Tenda F3 V12.01.01.55 - Clickjacking
CVSS 4.3
CVE-2026-26000 MEDIUM
XWiki Platform <17.9.0, <17.4.6, <16.10.13 - XSS
CVSS 6.1
CVE-2026-20645 MEDIUM
iOS <26.3 & iPadOS <26.3 - Info Disclosure
CVSS 4.6
CVE-2026-24839 MEDIUM
dokploy < 0.26.6 - Clickjacking via Missing Frame-Busting Headers
CVSS 4.7
CVE-2026-23731 MEDIUM
WeGIA < 3.6.2 - Clickjacking via Missing Frame Protection Headers
CVSS 4.3
CVE-2026-22918 MEDIUM
SICK TDC-X401GL Firmware - Clickjacking via Missing UI Layer Protection
CVSS 4.3
CVE-2025-62316 LOW
HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured
CVSS 2.3
CVE-2025-62328 LOW
HCL Nomad server on Domino - Information Disclosure via Missing Content-Security-Policy Frame-Ancestors Directive
CVSS 3.7
CVE-2025-58405 MEDIUM
CGM CLININET < 2025.ms3 - Clickjacking via Unrestricted UI Layer Embedding
CVSS 6.1
CVE-2025-15032 HIGH
Dia < 1.9.0 - Domain Spoofing via Missing about:blank Indicator
CVSS 7.4
Details
Vulnerabilities 388
Links
MITRE CWE Entry Search this CWE With Exploits