Cordova InAppBrowser iOS Flaw Lets Web Content Spoof Plugin Callbacks
Apache disclosed CVE-2026-47430, an important-severity vulnerability in the iOS implementation of cordova-plugin-inappbrowser that allows web content loaded inside an InAppBrowser WebView to dispatch arbitrary Cordova callback IDs without validation. The flaw stems from a crafted id field in a WKScriptMessage being passed into Cordova’s command handling, enabling untrusted content to trigger pending callbacks that should belong to other parts of the host app.
Because Cordova callback IDs are predictable, a remote attacker controlling displayed content or intercepting traffic could enumerate identifiers and spoof results for other installed plugins, including Camera, Contacts, File, and Geolocation. Reported by Niklas Merz and tracked as issue #1152, the bug affects cordova-plugin-inappbrowser versions 3.1.0 through 6.0.0 on iOS; Apache fixed it in 6.0.1, and exploitation scenarios may include malicious webpages, OAuth redirect flows, or deep links viewed inside affected apps.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Cordova Plugin InAppBrowser 6.0.1 fixes CVE-2026-47430
The vulnerability was fixed in cordova-plugin-inappbrowser version 6.0.1 by adding validation to prevent unauthorized callback execution. Users of affected iOS versions 3.1.0 through 6.0.0 were advised to upgrade.
Apache discloses CVE-2026-47430 in Cordova InAppBrowser for iOS
Apache disclosed CVE-2026-47430, an important-severity flaw in the iOS implementation of cordova-plugin-inappbrowser that allows arbitrary Cordova callback IDs to be dispatched without validation from InAppBrowser WebViews. The issue affects versions 3.1.0 through 6.0.0 and was reported by Niklas Merz.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-47430 - Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews
cvefeed.io
Open sourceCordova Vulnerability: InAppBrowser Callback Flaw
securityonline.info
Open sourceoss-sec: CVE-2026-47430: Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Edge for Android spoofing flaws patched across multiple CVEs
Microsoft has disclosed and patched multiple **spoofing vulnerabilities** affecting **Microsoft Edge for Android**, including `CVE-2026-35429`, `CVE-2026-42891`, `CVE-2026-0391`, `CVE-2025-47967`, and the earlier `CVE-2024-21387`. The issues are described as **user interface misrepresentation** flaws that could let an unauthenticated attacker present misleading content over a network, potentially tricking users who visit attacker-controlled pages. The repeated classification points to browser UI spoofing risks in the Android version of Edge rather than code execution or privilege escalation. For `CVE-2026-35429`, Microsoft said the flaw was rated **Moderate** with a **CVSS v3.1 score of 4.3**, required **user interaction**, and had **low attack complexity** with **no privileges required**. Microsoft also stated the vulnerability was **not publicly disclosed** and **not exploited** at the time of publication, and released a fix in **Microsoft Edge for Android version `148.0.3967.55`**. The additional CVE entries indicate a broader pattern of Edge for Android spoofing issues being tracked and remediated through Microsoft’s Security Update Guide.
May 25, 2026
Apple security release notes and third-party reporting on iOS WebKit risk
Apple published multiple security release notes and update entries across its platforms, including iOS/iPadOS point releases (e.g., iOS/iPadOS 26.2.1, 18.7.4, 16.7.13, 15.8.6, 12.5.8) and watchOS 26.2.1, with Apple indicating **no published CVE entries** for several of the January 2026 point updates. Apple also refreshed or republished detailed historical security-content pages for older products, including macOS Big Sur 11.7.9 (listing fixes such as **CVE-2023-34425** kernel-privilege arbitrary code execution in Apple Neural Engine, **CVE-2023-32364** sandbox restriction bypass, and other privacy/logic issues), Xcode 14.1 (including multiple *git* issues such as **CVE-2022-29187**, **CVE-2022-39253**, **CVE-2022-39260**, plus an Xcode Server privilege issue **CVE-2022-42797**), and visionOS 2 for Apple Vision Pro (including issues like **CVE-2024-44126** heap corruption from crafted files, **CVE-2024-27876** arbitrary file write via archive unpacking race condition, and additional sandbox/data-access weaknesses). Separately, a vendor blog post warned that **critical WebKit vulnerabilities** could enable remote compromise of iOS devices via a malicious webpage (arbitrary code execution and potential credential/data theft), emphasizing patch latency as a key risk; however, the post does not clearly map its claims to specific Apple CVEs or to the “no published CVE entries” iOS/iPadOS point releases listed on Apple’s security releases page. A Reddit /r/netsec item about a **one-click** vulnerability in *IDIS Cloud Manager (ICM) Viewer* (triggered by clicking an untrusted link) is unrelated to Apple/WebKit and does not align with the Apple security-release content.
Mar 21, 2026
Google Chrome fixes WebRTC use-after-free flaws enabling sandboxed code execution
Google disclosed two high-severity Chrome vulnerabilities in WebRTC, tracked as **`CVE-2026-7336`** and **`CVE-2026-7341`**, that affect versions prior to **`147.0.7727.138`**. Both bugs are classified as **CWE-416 use-after-free** issues and can be triggered when a user loads a crafted HTML page, allowing a remote attacker to achieve arbitrary code execution **inside the browser sandbox**. The CVE records link the flaws to Chrome release notes and Chromium issue tracker entries, and both were published by Google's Chrome security team before receiving updates with CVSS details. **`CVE-2026-7336`** was assigned a high-severity **CVSS v3.1** rating reflecting impacts to confidentiality, integrity, and availability, while **`CVE-2026-7341`** was later updated to clarify that exploitation requires **user interaction**, correcting an earlier scoring entry while preserving its overall high-impact assessment.
May 24, 2026