CVEs classified under CWE-451, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-2634 — CVSS 9.8 (critical): Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS…
CVE-2026-0907 — CVSS 9.8 (critical): Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted…
CVE-2026-0906 — CVSS 9.8 (critical): Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox…
CVE-2025-8043 — CVSS 9.8 (critical): Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141.
CVE-2026-11175 — CVSS 8.8 (high): Incorrect security UI in Messages in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a…
CVE-2026-11172 — CVSS 8.8 (high): Incorrect security UI in Contact Picker in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing…
CVE-2020-9236 — CVSS 8.8 (high): There is an improper interface design vulnerability in Huawei product. A module interface of the impated product does not deal with some…
CVE-2024-0750 — CVSS 8.8 (high): A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This…
CVE-2021-41598 — CVSS 8.8 (high): A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub…
CVE-2019-25718 — CVSS 8.4 (high): Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode and access…
CVE-2024-52271: User Interface (UI) Misrepresentation of Critical Information vulnerability in Documenso allows Content Spoofing.Displayed version does not…
CVE-2024-52270: User Interface (UI) Misrepresentation of Critical Information vulnerability in DropBox Sign(HelloSign) allows Content Spoofing. Displayed…
CVE-2024-52277: User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSeal allows Content Spoofing.Displayed version does not…
CVE-2025-11720 — CVSS 8.1 (high): The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User…
CVE-2024-52269 — CVSS 8.1 (high): User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing. The SaaS AI assistant…
CVE-2026-53829 — CVSS 8.0 (high): OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from…
CVE-2026-0096 — CVSS 7.8 (high): In getAppLabel of ForgetDeviceDialogFragment.java, there is a possible trick the user into forgetting a device due to misleading or…
CVE-2026-0094 — CVSS 7.8 (high): In getApplicationLabel of KeyChainActivity.java, there is a possible way to trick the user into approving access to certificates due to…
CVE-2026-0093 — CVSS 7.8 (high): In multiple locations, there is a possible misleading UI due to obfuscation. This could lead to local escalation of privilege with no…
CVE-2026-0088 — CVSS 7.8 (high): In getCallingAppLabel of CertInstaller.java, there is a possible way to hide a sensitive security dialogue due to misleading or…
CVE-2025-9491 — CVSS 7.8 (high): Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute…
CVE-2024-23708 — CVSS 7.8 (high): In multiple functions of NotificationManagerService.java, there is a possible way to not show a toast message when a clipboard message has…
CVE-2026-14114 — CVSS 7.5 (high): Inappropriate implementation in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform UI…
CVE-2026-8964 — CVSS 7.5 (high): Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
CVE-2025-46311 — CVSS 7.5 (high): An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS…
CVE-2026-28964 — CVSS 7.5 (high): An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 26.5 and iPadOS 26.5…
CVE-2024-52276 — CVSS 7.5 (high): User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing. 1. Displayed version does…
CVE-2026-32971 — CVSS 7.1 (high): OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell…
CVE-2026-14404 — CVSS 6.5 (medium): Inappropriate implementation in PDFium in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to perform UI spoofing via a…
CVE-2026-14014 — CVSS 6.5 (medium): Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a…
CVE-2026-14002 — CVSS 6.5 (medium): Inappropriate implementation in Geolocation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the…
CVE-2026-13996 — CVSS 6.5 (medium): Inappropriate implementation in Permissions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a…
CVE-2026-13988 — CVSS 6.5 (medium): Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a…
CVE-2026-13892 — CVSS 6.5 (medium): Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a…
CVE-2026-11227 — CVSS 6.5 (medium): Incorrect security UI in Tab Hover Cards in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a…
CVE-2026-11225 — CVSS 6.5 (medium): Inappropriate implementation in WebUI in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a…
CVE-2026-11222 — CVSS 6.5 (medium): Incorrect security UI in Tab Strip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a…
CVE-2026-11215 — CVSS 6.5 (medium): Inappropriate implementation in Cronet in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform domain…
CVE-2026-42891 — CVSS 6.5 (medium): User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform…
CVE-2026-3861 — CVSS 6.5 (medium): LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly…
CVE-2026-5905 — CVSS 6.5 (medium): Incorrect security UI in Permissions in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to perform domain…
CVE-2026-3889 — CVSS 6.5 (medium): Spoofing issue in Thunderbird. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.
CVE-2026-3937 — CVSS 6.5 (medium): Incorrect security UI in Downloads in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via…
CVE-2026-3935 — CVSS 6.5 (medium): Incorrect security UI in WebAppInstalls in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a…
CVE-2026-26320 — CVSS 6.5 (medium): OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep…
CVE-2026-2320 — CVSS 6.5 (medium): Inappropriate implementation in File input in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage…
CVE-2026-2318 — CVSS 6.5 (medium): Inappropriate implementation in PictureInPicture in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to…