CWE-1021Improper Restriction of Rendered UI Layers or Frames

Abstraction: Base · CVEs in our corpus: 376

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (0)AI

Control	Title	Family	Why it addresses this CWE
No NIST controls proposed yet.

Top CVEs of this weakness type, ranked by Risk Priority

CVE	Risk	CVSS	EPSS	Published
`CVE-2023-1362`	4.4	6.1	0.5355	2023-03-13
`CVE-2021-21132`	3.0	9.6	0.1845	2021-02-09
`CVE-2016-2496`	2.0	9.8	0.0031	2016-06-13
`CVE-2021-23274`	2.0	9.8	0.0024	2021-03-23
`CVE-2021-43048`	2.0	9.8	0.0028	2021-11-16
`CVE-2021-21111`	1.9	9.6	0.0045	2021-01-08
`CVE-2023-41897`	1.9	8.8	0.0187	2023-10-19
`CVE-2018-18496`	1.8	8.8	0.0042	2019-02-28
`CVE-2015-5686`	1.8	8.8	0.0014	2020-02-27
`CVE-2021-22866`	1.8	8.8	0.0020	2021-05-14
`CVE-2021-3734`	1.8	8.8	0.0015	2021-08-26
`CVE-2022-3167`	1.8	8.8	0.0040	2022-09-08
`CVE-2024-10004`	1.8	9.1	0.0032	2024-10-15
`CVE-2019-16371`	1.7	8.2	0.0026	2019-09-16
`CVE-2021-44683`	1.7	8.2	0.0028	2022-03-25
`CVE-2026-0007`	1.7	8.6	0.0000	2026-03-02
`CVE-2018-9458`	1.6	7.8	0.0007	2018-11-06
`CVE-2018-9524`	1.6	7.8	0.0002	2018-11-14
`CVE-2020-0051`	1.6	7.8	0.0003	2020-03-10
`CVE-2020-0394`	1.6	7.8	0.0001	2020-09-17
`CVE-2020-0387`	1.6	7.8	0.0003	2020-09-17
`CVE-2020-0366`	1.6	7.8	0.0004	2020-09-17
`CVE-2020-13119`	1.6	8.1	0.0030	2020-09-24
`CVE-2020-27059`	1.6	7.8	0.0004	2021-01-11
`CVE-2021-21139`	1.6	6.5	0.0497	2021-02-09