A critical vulnerability (CVE-2026-47430) affecting the Apache Cordova InAppBrowser plugin on iOS devices has been identified, allowing untrusted web content to execute unauthorized commands within user applications. This flaw poses a severe risk to user data if not patched, enabling attackers to inject malicious code via predictable callback identifiers. The issue impacts versions 3.1.0 through 6.0.0 of the plugin, with an urgent recommendation to upgrade to version 6.0.1 to prevent exploitation. The vulnerability can be exploited through various attack vectors like OAuth links, leading to compromised mobile device security.
Cordova InAppBrowser Bug Lets Attackers Run Code on iOS Apps
CyberSIXT Evidence Panel
Source marked as original reporting
Article by CyberSIXT