Cordova · Inappbrowser · CVE-2026-47430
**Name of the Vulnerable Software and Affected Versions**
Cordova Plugin InAppBrowser versions 3.1.0 through 6.0.0
**Description**
The iOS implementation of the InAppBrowser plugin fails to validate the `id` field from a `WKScriptMessage` body before passing it to the `commandDelegate sendPluginResult:callbackId:` function. This allows web content loaded within the InAppBrowser to trigger any pending Cordova callback in the host application by sending a message with a guessed or enumerated callback identifier. An attacker can use the `window.webkit.messageHandlers.cordova iab.postMessage()` endpoint with the `id` parameter to spoof results from other installed plugins, such as Camera, Contacts, File, or Geolocation, because callback IDs follow a predictable `<PluginName><sequential-integer>` format.
**Recommendations**
Upgrade to version 6.0.1.