Main Vulnerability Database SB2026042467

SB2026042467 - Reverse Tabnabbing in HFS

Published: April 24, 2026

Security Bulletin ID SB2026042467

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Reverse Tabnabbing (CVE-ID: N/A)

CWE-ID: CWE-1022 - Use of Web Link to Untrusted Target with window.opener Access

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to conduct phishing attacks.

The vulnerability exists due to use of web link to untrusted target with window.opener access in the HFS web link feature when opening an added external web link in a new tab. A remote attacker can compromise or control the linked external page to replace the original HFS tab with a phishing page to conduct phishing attacks.

Only users on browsers without the browser-level protection remain vulnerable.

Remediation

Install update from vendor's website.

References

https://github.com/rejetto/hfs/security/advisories/GHSA-xcxh-6cv4-q8p8