Search
Find a vulnerability
Search criteria
8 vulnerabilities found for desktop by zen-browser
CVE-2026-57501 (GCVE-0-2026-57501)
Vulnerability from nvd – Published: 2026-07-09 22:27 – Updated: 2026-07-10 20:59
VLAI
EPSS
VEX
Title
Zen: Context-menu "Open link in glance" / "Split link in new tab" loads a page-controlled link with the System principal, bypassing the web-content scheme restriction
Summary
Zen is a firefox-based browser. Prior to 1.21.5b, Zen's glance and split-view context-menu actions, Open link in glance and Split link in new tab, load a page-controlled link URL with the System principal instead of the originating page's principal, allowing a malicious web page to place a link to a file URL that can load with System privileges when opened through either context-menu item and bypass the content-to-file security check that blocks an ordinary click. This issue is fixed in version 1.21.5b.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/zen-browser/desktop/security/a… | x_refsource_CONFIRM |
| https://github.com/zen-browser/desktop/commit/44f… | x_refsource_MISC |
| https://github.com/zen-browser/desktop/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zen-browser | desktop |
Affected:
< 1.21.5b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T20:46:27.753145Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:59:23.914Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "desktop",
"vendor": "zen-browser",
"versions": [
{
"status": "affected",
"version": "\u003c 1.21.5b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zen is a firefox-based browser. Prior to 1.21.5b, Zen\u0027s glance and split-view context-menu actions, Open link in glance and Split link in new tab, load a page-controlled link URL with the System principal instead of the originating page\u0027s principal, allowing a malicious web page to place a link to a file URL that can load with System privileges when opened through either context-menu item and bypass the content-to-file security check that blocks an ordinary click. This issue is fixed in version 1.21.5b."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:27:34.962Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-vpvg-hp3v-rm5q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-vpvg-hp3v-rm5q"
},
{
"name": "https://github.com/zen-browser/desktop/commit/44f7616238208200547c7df500d945752d7b6379",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zen-browser/desktop/commit/44f7616238208200547c7df500d945752d7b6379"
},
{
"name": "https://github.com/zen-browser/desktop/releases/tag/1.21.5b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zen-browser/desktop/releases/tag/1.21.5b"
}
],
"source": {
"advisory": "GHSA-vpvg-hp3v-rm5q",
"discovery": "UNKNOWN"
},
"title": "Zen: Context-menu \"Open link in glance\" / \"Split link in new tab\" loads a page-controlled link with the System principal, bypassing the web-content scheme restriction"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-57501",
"datePublished": "2026-07-09T22:27:34.962Z",
"dateReserved": "2026-06-24T14:53:40.112Z",
"dateUpdated": "2026-07-10T20:59:23.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44659 (GCVE-0-2026-44659)
Vulnerability from nvd – Published: 2026-05-11 17:01 – Updated: 2026-05-12 16:13
VLAI
EPSS
VEX
Title
Zen Browser Mac - Address Bar Spoofing via Long Subdomain
Summary
Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/zen-browser/desktop/security/a… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zen-browser | desktop |
Affected:
< 1.19.12b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T16:13:40.754441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T16:13:51.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "desktop",
"vendor": "zen-browser",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.12b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T17:01:18.559Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69"
}
],
"source": {
"advisory": "GHSA-7p2r-fp29-9w69",
"discovery": "UNKNOWN"
},
"title": "Zen Browser Mac - Address Bar Spoofing via Long Subdomain"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44659",
"datePublished": "2026-05-11T17:01:18.559Z",
"dateReserved": "2026-05-07T16:20:08.659Z",
"dateUpdated": "2026-05-12T16:13:51.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44658 (GCVE-0-2026-44658)
Vulnerability from nvd – Published: 2026-05-11 17:00 – Updated: 2026-05-11 19:04
VLAI
EPSS
VEX
Title
Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation
Summary
Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/zen-browser/desktop/security/a… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zen-browser | desktop |
Affected:
< 1.19.12b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44658",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:22:28.229614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:04:14.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "desktop",
"vendor": "zen-browser",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.12b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T17:00:31.639Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-cc9c-mmmf-c5j6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-cc9c-mmmf-c5j6"
}
],
"source": {
"advisory": "GHSA-cc9c-mmmf-c5j6",
"discovery": "UNKNOWN"
},
"title": "Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44658",
"datePublished": "2026-05-11T17:00:31.639Z",
"dateReserved": "2026-05-07T16:20:08.659Z",
"dateUpdated": "2026-05-11T19:04:14.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41431 (GCVE-0-2026-41431)
Vulnerability from nvd – Published: 2026-05-11 16:55 – Updated: 2026-05-11 18:31
VLAI
EPSS
VEX
Title
Zen Browser MAR updater ships with signature verification removed — unsigned updates accepted
Summary
Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/zen-browser/desktop/security/a… | x_refsource_CONFIRM |
| https://github.com/zen-browser/desktop/commit/270… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zen-browser | desktop |
Affected:
< 1.19.9b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41431",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:31:13.968267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:31:38.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "desktop",
"vendor": "zen-browser",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.9b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:55:10.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q"
},
{
"name": "https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e"
}
],
"source": {
"advisory": "GHSA-qpj9-m8jc-mw6q",
"discovery": "UNKNOWN"
},
"title": "Zen Browser MAR updater ships with signature verification removed \u2014 unsigned updates accepted"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41431",
"datePublished": "2026-05-11T16:55:10.814Z",
"dateReserved": "2026-04-20T15:32:33.814Z",
"dateUpdated": "2026-05-11T18:31:38.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57501 (GCVE-0-2026-57501)
Vulnerability from cvelistv5 – Published: 2026-07-09 22:27 – Updated: 2026-07-10 20:59
VLAI
EPSS
VEX
Title
Zen: Context-menu "Open link in glance" / "Split link in new tab" loads a page-controlled link with the System principal, bypassing the web-content scheme restriction
Summary
Zen is a firefox-based browser. Prior to 1.21.5b, Zen's glance and split-view context-menu actions, Open link in glance and Split link in new tab, load a page-controlled link URL with the System principal instead of the originating page's principal, allowing a malicious web page to place a link to a file URL that can load with System privileges when opened through either context-menu item and bypass the content-to-file security check that blocks an ordinary click. This issue is fixed in version 1.21.5b.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/zen-browser/desktop/security/a… | x_refsource_CONFIRM |
| https://github.com/zen-browser/desktop/commit/44f… | x_refsource_MISC |
| https://github.com/zen-browser/desktop/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zen-browser | desktop |
Affected:
< 1.21.5b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-57501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T20:46:27.753145Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:59:23.914Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "desktop",
"vendor": "zen-browser",
"versions": [
{
"status": "affected",
"version": "\u003c 1.21.5b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zen is a firefox-based browser. Prior to 1.21.5b, Zen\u0027s glance and split-view context-menu actions, Open link in glance and Split link in new tab, load a page-controlled link URL with the System principal instead of the originating page\u0027s principal, allowing a malicious web page to place a link to a file URL that can load with System privileges when opened through either context-menu item and bypass the content-to-file security check that blocks an ordinary click. This issue is fixed in version 1.21.5b."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T22:27:34.962Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-vpvg-hp3v-rm5q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-vpvg-hp3v-rm5q"
},
{
"name": "https://github.com/zen-browser/desktop/commit/44f7616238208200547c7df500d945752d7b6379",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zen-browser/desktop/commit/44f7616238208200547c7df500d945752d7b6379"
},
{
"name": "https://github.com/zen-browser/desktop/releases/tag/1.21.5b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zen-browser/desktop/releases/tag/1.21.5b"
}
],
"source": {
"advisory": "GHSA-vpvg-hp3v-rm5q",
"discovery": "UNKNOWN"
},
"title": "Zen: Context-menu \"Open link in glance\" / \"Split link in new tab\" loads a page-controlled link with the System principal, bypassing the web-content scheme restriction"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-57501",
"datePublished": "2026-07-09T22:27:34.962Z",
"dateReserved": "2026-06-24T14:53:40.112Z",
"dateUpdated": "2026-07-10T20:59:23.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44659 (GCVE-0-2026-44659)
Vulnerability from cvelistv5 – Published: 2026-05-11 17:01 – Updated: 2026-05-12 16:13
VLAI
EPSS
VEX
Title
Zen Browser Mac - Address Bar Spoofing via Long Subdomain
Summary
Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/zen-browser/desktop/security/a… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zen-browser | desktop |
Affected:
< 1.19.12b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T16:13:40.754441Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T16:13:51.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "desktop",
"vendor": "zen-browser",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.12b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T17:01:18.559Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69"
}
],
"source": {
"advisory": "GHSA-7p2r-fp29-9w69",
"discovery": "UNKNOWN"
},
"title": "Zen Browser Mac - Address Bar Spoofing via Long Subdomain"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44659",
"datePublished": "2026-05-11T17:01:18.559Z",
"dateReserved": "2026-05-07T16:20:08.659Z",
"dateUpdated": "2026-05-12T16:13:51.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44658 (GCVE-0-2026-44658)
Vulnerability from cvelistv5 – Published: 2026-05-11 17:00 – Updated: 2026-05-11 19:04
VLAI
EPSS
VEX
Title
Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation
Summary
Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/zen-browser/desktop/security/a… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zen-browser | desktop |
Affected:
< 1.19.12b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44658",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:22:28.229614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:04:14.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "desktop",
"vendor": "zen-browser",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.12b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T17:00:31.639Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-cc9c-mmmf-c5j6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-cc9c-mmmf-c5j6"
}
],
"source": {
"advisory": "GHSA-cc9c-mmmf-c5j6",
"discovery": "UNKNOWN"
},
"title": "Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44658",
"datePublished": "2026-05-11T17:00:31.639Z",
"dateReserved": "2026-05-07T16:20:08.659Z",
"dateUpdated": "2026-05-11T19:04:14.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41431 (GCVE-0-2026-41431)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:55 – Updated: 2026-05-11 18:31
VLAI
EPSS
VEX
Title
Zen Browser MAR updater ships with signature verification removed — unsigned updates accepted
Summary
Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/zen-browser/desktop/security/a… | x_refsource_CONFIRM |
| https://github.com/zen-browser/desktop/commit/270… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zen-browser | desktop |
Affected:
< 1.19.9b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41431",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T18:31:13.968267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T18:31:38.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "desktop",
"vendor": "zen-browser",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.9b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:55:10.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q"
},
{
"name": "https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e"
}
],
"source": {
"advisory": "GHSA-qpj9-m8jc-mw6q",
"discovery": "UNKNOWN"
},
"title": "Zen Browser MAR updater ships with signature verification removed \u2014 unsigned updates accepted"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41431",
"datePublished": "2026-05-11T16:55:10.814Z",
"dateReserved": "2026-04-20T15:32:33.814Z",
"dateUpdated": "2026-05-11T18:31:38.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}