# [CRIT] [GHSA / CRITICAL] CVE-2026-47430: Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews. **Source:** GitHub Security Advisories **Published:** 2026-06-08 **Article:** https://github.com/advisories/GHSA-q42j-x8rq-pjg6 ## Threat Profile Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews. ## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content loaded inside the InAppBrowser can fire any pending Cordova callback in the host app by posting a message whose `id` field i… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47430` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1528** — Steal Application Access Token - **T1098.001** — Account Manipulation: Additional Cloud Credentials - **T1195.001** — Supply Chain Compromise: Compromise Software Dependencies and Development Tools - **T1592.002** — Gather Victim Host Information: Software ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Vulnerable cordova-plugin-inappbrowser install on dev endpoint (CVE-2026-47430) `UC_105_2` · phase: **weapon** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("npm.exe","npm.cmd","npx.exe","yarn.exe","pnpm.exe","cordova.cmd","cordova.exe","ionic.cmd","node.exe")) Processes.process="*cordova-plugin-inappbrowser*" (Processes.process="* install*" OR Processes.process="* add*" OR Processes.process="*plugin add*" OR Processes.process="* i *" OR Processes.process="*--save*") by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | rex field=process "cordova-plugin-inappbrowser@(?\d+\.\d+\.\d+)" | where isnull(pinned_version) OR match(pinned_version,"^(3\.|4\.|5\.|6\.0\.0$)") | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(90d) | where FileName in~ ("npm.exe","npm.cmd","npx.exe","yarn.exe","pnpm.exe","cordova.cmd","cordova.exe","ionic.cmd","node.exe") | where ProcessCommandLine has "cordova-plugin-inappbrowser" | where ProcessCommandLine has_any (" install"," add"," plugin add"," i ","--save"," -S") | extend PinnedVersion = extract(@"cordova-plugin-inappbrowser@([0-9]+\.[0-9]+\.[0-9]+)", 1, ProcessCommandLine) | where isempty(PinnedVersion) or PinnedVersion matches regex @"^(3\.|4\.|5\.|6\.0\.0$)" | where AccountName !endswith "$" | where not (ProcessCommandLine has_any (" uninstall"," remove "," rm "," list "," ls "," view ")) | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, PinnedVersion | order by Timestamp desc ``` ### CVE-2026-47430 fleet exposure via Defender TVM (vulnerable cordova-plugin-inappbrowser) `UC_105_3` · phase: **recon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl search index=defender_tvm sourcetype="defender:tvm:vulnerabilities" CveId="CVE-2026-47430" | stats min(_time) as first_seen max(_time) as last_seen values(SoftwareVersion) as observed_versions values(VulnerabilitySeverityLevel) as severity by DeviceName SoftwareVendor SoftwareName | convert ctime(first_seen) ctime(last_seen) | sort - last_seen ``` **Defender KQL:** ```kql DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2026-47430" | summarize FirstSeen = min(Timestamp), LastSeen = max(Timestamp), ObservedVersions = make_set(SoftwareVersion), Severity = any(VulnerabilitySeverityLevel), RecommendedFix = any(RecommendedSecurityUpdate) by DeviceId, DeviceName, OSPlatform, OSVersion, SoftwareVendor, SoftwareName | order by LastSeen desc ``` ### OAuth consent / suspicious app grant `UC_OAUTH_ABUSE` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication.Authentication where Authentication.action="success" AND Authentication.signature IN ( "Consent to application", "Add app role assignment grant to user", "Add OAuth2PermissionGrant", "Add delegated permission grant") by Authentication.user, Authentication.app, Authentication.src, Authentication.signature | `drop_dm_object_name(Authentication)` ``` **Defender KQL:** ```kql CloudAppEvents | where Timestamp > ago(7d) | where ActionType in ("Consent to application.","Add OAuth2PermissionGrant.","Add delegated permission grant.") | project Timestamp, AccountObjectId, AccountDisplayName, ActivityType, ActivityObjects, IPAddress, UserAgent ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47430` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.