Critical

Arbitrary Cordova callback dispatch in cordova-plugin-inappbrowser for iOS

IdentifiersCVE-2026-47430CWE-20

CVE-2026-47430 is a vulnerability in the iOS implementation of Apache Cordova's cordova-plugin-inappbrowser. In affected versions, the plugin takes the id field from a WKScriptMessage body and passes it to commandDelegate sendPluginResult:callbackId: without validating that the callback identifier is well-formed or authorized for the InAppBrowser context. The vulnerable code path is reported in CDVWKInAppBrowser.m at lines 560-574. As a result, any web content loaded inside the InAppBrowser WebView can post a crafted message such as window.webkit.messageHandlers.cordova_iab.postMessage({id: '<victim-callback-id>', d: '...'}) and cause pending Cordova callbacks belonging to other plugins in the host application to be fired. Because Cordova callback IDs follow a predictable pattern such as <PluginName><sequential-integer>, an attacker can feasibly guess or enumerate valid callback IDs. The issue affects cordova-plugin-inappbrowser versions 3.1.0 through 6.0.0 on iOS.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker controlling content displayed in the InAppBrowser to spoof plugin results across trust boundaries inside the host Cordova application. Depending on the app's installed plugins and callback usage, this can let the attacker inject forged responses for plugins such as Camera, Contacts, File, or Geolocation, including fabricated contacts data, crafted file-read responses, or other falsified plugin outputs. The primary impact is unauthorized interaction with the host app's Cordova command/callback mechanism, which can lead to sensitive data exposure, logic manipulation, and abuse of trusted plugin workflows.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce exposure by preventing untrusted or attacker-influenced content from loading inside the InAppBrowser, especially content reached via OAuth redirects, marketing links, deep links, or other externally supplied URLs. Use authenticated transport to reduce network interception risk. Because the flaw is in the plugin's callback handling on iOS, the effective long-term mitigation is patching to 6.0.1+; operational mitigations only reduce exploit opportunities.

Remediation

Patch, then assume compromise.

Upgrade cordova-plugin-inappbrowser to version 6.0.1 or later. The provided content states that version 6.0.1 fixes the issue by adding validation to prevent unauthorized callback execution.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

security online infoNews

Jun 7, 2026

Cordova Vulnerability: InAppBrowser Callback Flaw

A vulnerability in the Apache Cordova InAppBrowser plugin for iOS that allows untrusted web content to break out of its sandbox and execute unauthorized commands in the host mobile app by abusing predictable callback identifiers and insufficient validation.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-47430

NVD

nvd.nist.gov/vuln/detail/CVE-2026-47430

MITRE CWE · CWE-20

cwe.mitre.org

openwall.com

openwall.com/lists/oss-security/2026/06/07/1

lists.apache.org

lists.apache.org/thread/sb539nss3b0545wnyt1pbh7zgwjvz2qq