CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Not Technology-Specific | Undetermined | — |
| technology | — | Web Based | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-28577 | 2026-06-01 | In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privil… |
| CVE-2026-0061 | 2026-06-01 | In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with… |
| CVE-2026-0036 | 2026-06-01 | In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privi… |
| CVE-2026-21785 | 2026-05-27 | A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass in… |
| CVE-2026-9396 | 2026-05-24 | A security flaw has been discovered in Besen BS20 EV Charging Station up to 20260426. Affected by this vulnerability is an unknown functionality of the component Firmware Version Check. The manipulati… |
| CVE-2026-42502 | 2026-05-22 | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML befor… |
| CVE-2026-27136 | 2026-05-22 | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML befor… |
| CVE-2026-25681 | 2026-05-22 | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML befor… |
| CVE-2025-62316 | 2026-05-14 | HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based securit… |
| CVE-2026-28971 | 2026-05-11 | The issue was addressed with improved UI handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download … |
| CVE-2026-8022 | 2026-05-06 | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted M… |
| CVE-2026-3254 | 2026-04-22 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into… |
| CVE-2026-2378 | 2026-03-20 | ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web co… |
| CVE-2025-62328 | 2026-03-11 | HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecifie… |
| CVE-2026-0007 | 2026-03-02 | In writeToParcel of WindowInfo.cpp, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no add… |
| CVE-2025-58405 | 2026-03-02 | The CGM CLININET application does not implement any mechanisms that prevent clickjacking attacks, neither HTTP security headers nor HTML-based frame‑busting protections were detected. As a result, an … |
| CVE-2026-27511 | 2026-02-23 | Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a clickjacking vulnerability in the web-based administrative interface. The interface does not set the X-Frame-Options header, al… |
| CVE-2026-26000 | 2026-02-12 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would tr… |
| CVE-2026-20645 | 2026-02-11 | An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker with physical access to a … |
| CVE-2026-24839 | 2026-01-28 | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This a… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Related_Attack_Patterns, Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Applicable_Platforms, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Potential_Mitigations |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Related_Attack_Patterns |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Related_Attack_Patterns |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, References, Relationships, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Common_Consequences, Description, Diagram, Potential_Mitigations |