CVE-2026-47430— Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews
Possible ATT&CK Techniques 2AI
T1190 · Exploit Public-Facing Application T1566.001 · Spearphishing AttachmentAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Cordova Plugin InAppBrowser | 3.1.0≤ 6.0.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47430
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews
Source: NVD (National Vulnerability Database)
Vulnerability Description
## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser can fire any pending Cordova callback in the host app by posting a message whose `id` field is a guessable or enumerated callback identifier. An attack abusing this weakness must be tailored to the specific plugins and callback IDs the host app uses. Though an attacker with knowledge of common Cordova plugin configurations could craft reusable payloads targeting widely-adopted plugins. ## Impact An unauthenticated remote attacker who controls content displayed in the InAppBrowser — via a URL the app opens (OAuth redirect, marketing link, deep-link target) or a network interception — can call `window.webkit.messageHandlers.cordova_iab.postMessage({id: '<victim-callback-id>', d: '...'})` to fire callbacks belonging to any other installed Cordova plugin (Camera, Contacts, File, Geolocation). Cordova callback IDs follow the predictable format `<PluginName><sequential-integer>`, making enumeration feasible. Successful exploitation allows the attacker to spoof plugin results across trust boundaries — for example, injecting a forged camera approval, a fabricated contacts list, or a crafted file-read response. This issue affects Cordova Plugin InAppBrowser: from 3.1.0 through 6.0.0. Users are recommended to upgrade to version 6.0.1, which fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Cordova Plugin InAppBrowser 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Cordova Plugin InAppBrowser是美国阿帕奇(Apache)基金会的一个嵌入式浏览器插件。 Apache Cordova Plugin InAppBrowser 3.1.0版本至6.0.0版本存在输入验证错误漏洞,该漏洞源于iOS实现中未对WKScriptMessage消息体的id字段进行格式验证,可能导致远程攻击者伪造插件结果并跨信任边界进行攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Cordova Plugin InAppBrowser | 3.1.0 ~ 6.0.0 | - |
II. Public POCs for CVE-2026-47430
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-47430
请登录查看更多情报信息。
Mailing List Discussions for CVE-2026-47430 (1)
Same Patch Batch · Apache Software Foundation · 2026-06-08 · 14 CVEs total
| CVE-2026-49975 | Apache HTTP Server: mod_http2 denial of service | |
| CVE-2026-48913 | Apache HTTP Server: mod_http2 memory corruption when file handles exhausted | |
| CVE-2026-42536 | Apache HTTP Server: mod_xml2enc heap overflow | |
| CVE-2026-44185 | Apache HTTP Server: Stack Buffer Over-Read in mod_ssl OCSP `send_request` | |
| CVE-2026-34355 | Apache HTTP Server: mod_proxy_html buffer overflow | |
| CVE-2026-44631 | Apache HTTP Server: Heap Underflow in `ap_regname` via Signed Char Overflow | |
| CVE-2026-44119 | Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple m | |
| CVE-2026-43951 | Apache HTTP Server: OOB Read in `merge_response_headers` can cause crash | |
| CVE-2026-42535 | Apache HTTP Server: mod_dav_fs protected directory access | |
| CVE-2026-34356 | Apache HTTP Server: ProxyPassReverseCookieMap buffer overflow | |
| CVE-2026-44186 | Apache HTTP Server: Loop in `proxy_ftp_handler` in mod_proxy_ftp | |
| CVE-2026-29170 | Apache HTTP Server: mod_proxy_ftp XSS | |
| CVE-2026-29167 | Apache HTTP Server: mod_ldap per-dir use-after-free |
IV. Related Vulnerabilities
Same vendor: Apache Software Foundation
- CVE-2025-64152
Apache IoTDB: Path Traversal Vulnerability - CVE-2025-55017
Apache IoTDB: Path Traversal Vulnerability - CVE-2026-57915
Apache Kerby: Kerberos Pre-Authentication Bypass - CVE-2026-57914
Apache Kerby: StackOverflow on parsing deeply nested ASN1 st - CVE-2026-49486
Apache Airflow FTP provider: FTP Provider does not protect F
Same weakness: CWE-20
- CVE-2026-13434
Virt-controller-rhel9: kubevirt: kubevirt: multus default-ne - CVE-2026-52801
Gogs: Ability to import local repositories via Mirror Settin - CVE-2025-64719
Gogs: Denial of Service in repository/wiki file listing web - CVE-2026-13024
Chrome <149.0.7827.197 导航输入验证不足致站点隔离绕过 - CVE-2026-13025
Chrome<149.0.7827.197 DevTools竞态条件致沙箱逃逸
V. Comments for CVE-2026-47430
No comments yet