VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 8, 2026· Updated Jun 8, 2026

CVE-2026-47430

CVE-2026-47430

Description

CVE-2026-47430: iOS InAppBrowser allows arbitrary callback firing by passing unvalidated IDs, enabling spoofed plugin results.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-47430: iOS InAppBrowser allows arbitrary callback firing by passing unvalidated IDs, enabling spoofed plugin results.

Vulnerability

The iOS implementation of cordova-plugin-inappbrowser versions 3.1.0 through 6.0.0 passes the id field from a WKScriptMessage body to commandDelegate sendPluginResult:callbackId: without format validation. This allows web content loaded within the InAppBrowser to trigger any pending Cordova callback in the host application by sending a message with a guessable or enumerated callback identifier [1].

Exploitation

An unauthenticated remote attacker who controls content displayed in the InAppBrowser can exploit this by using window.webkit.messageHandlers.cordova_iab.postMessage({id: '', d: '...'}). The attacker needs to know or enumerate the callback IDs used by the host app's installed Cordova plugins, which often follow a predictable format like `` [1].

Impact

Successful exploitation allows an attacker to spoof plugin results across trust boundaries. This could include injecting forged responses for actions like camera approvals, contact list access, or file read operations, thereby compromising the integrity of the application's functionality [1].

Mitigation

Users are recommended to upgrade to cordova-plugin-inappbrowser version 6.0.1 or later, which addresses this issue. No other mitigation details are available in the provided references [1].

References
  1. security - CVE-2026-47430: Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.