Multiple X-Frame-Options Header Entries
- Risk:
Medium
- Type:
- Passive
- CWE:
- CWE-1021
- Summary
X-Frame-Options (XFO) headers were found, a response with multiple XFO header entries may not be predictably treated by all user-agents.
- Solution
Ensure only a single X-Frame-Options header is present in the response.
- References
Oracle denies breach after hacker claims theft of 6 million data records
CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825)
Oracle Health breach compromises patient data at US hospitals
CosmicSting flaw impacts 75% of Adobe Commerce, Magento sites
Microsoft confirms it's killing off Skype in May, after 14 years
CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks
New SuperBlack ransomware exploits Fortinet auth bypass flaws
NAKIVO Backup & Replication vulnerability exploited by attackers (CVE-2024-48248)
Microsoft Trusted Signing service abused to code-sign malware
Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927)
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
CVE-2025-30066 tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-24201 Apple Multiple Products WebKit Out-of-Bounds Write Vulnerability
InformationalRe-examine Cache-control Directives
InformationalPossible Username Enumeration
InformationalServer Leaks its Webserver Application via "Server" HTTP Response Header Field
InformationalCookie Poisoning
HighPII Disclosure
InformationalGET for POST
LowServer Leaks Version Information via "Server" HTTP Response Header Field
Free online web security scanner