Search

Find a vulnerability

Search criteria

    8 vulnerabilities by zen-browser

    CVE-2026-57501 (GCVE-0-2026-57501)

    Vulnerability from nvd – Published: 2026-07-09 22:27 – Updated: 2026-07-10 20:59
    VLAI
    Title
    Zen: Context-menu "Open link in glance" / "Split link in new tab" loads a page-controlled link with the System principal, bypassing the web-content scheme restriction
    Summary
    Zen is a firefox-based browser. Prior to 1.21.5b, Zen's glance and split-view context-menu actions, Open link in glance and Split link in new tab, load a page-controlled link URL with the System principal instead of the originating page's principal, allowing a malicious web page to place a link to a file URL that can load with System privileges when opened through either context-menu item and bypass the content-to-file security check that blocks an ordinary click. This issue is fixed in version 1.21.5b.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    zen-browser desktop Affected: < 1.21.5b
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57501",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T20:46:27.753145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:59:23.914Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "desktop",
              "vendor": "zen-browser",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.21.5b"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Zen is a firefox-based browser. Prior to 1.21.5b, Zen\u0027s glance and split-view context-menu actions, Open link in glance and Split link in new tab, load a page-controlled link URL with the System principal instead of the originating page\u0027s principal, allowing a malicious web page to place a link to a file URL that can load with System privileges when opened through either context-menu item and bypass the content-to-file security check that blocks an ordinary click. This issue is fixed in version 1.21.5b."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 0,
                "baseSeverity": "NONE",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "CWE-266: Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T22:27:34.962Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-vpvg-hp3v-rm5q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-vpvg-hp3v-rm5q"
            },
            {
              "name": "https://github.com/zen-browser/desktop/commit/44f7616238208200547c7df500d945752d7b6379",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zen-browser/desktop/commit/44f7616238208200547c7df500d945752d7b6379"
            },
            {
              "name": "https://github.com/zen-browser/desktop/releases/tag/1.21.5b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zen-browser/desktop/releases/tag/1.21.5b"
            }
          ],
          "source": {
            "advisory": "GHSA-vpvg-hp3v-rm5q",
            "discovery": "UNKNOWN"
          },
          "title": "Zen: Context-menu \"Open link in glance\" / \"Split link in new tab\" loads a page-controlled link with the System principal, bypassing the web-content scheme restriction"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-57501",
        "datePublished": "2026-07-09T22:27:34.962Z",
        "dateReserved": "2026-06-24T14:53:40.112Z",
        "dateUpdated": "2026-07-10T20:59:23.914Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44659 (GCVE-0-2026-44659)

    Vulnerability from nvd – Published: 2026-05-11 17:01 – Updated: 2026-05-12 16:13
    VLAI
    Title
    Zen Browser Mac - Address Bar Spoofing via Long Subdomain
    Summary
    Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    zen-browser desktop Affected: < 1.19.12b
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44659",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T16:13:40.754441Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T16:13:51.896Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "desktop",
              "vendor": "zen-browser",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.12b"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T17:01:18.559Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69"
            }
          ],
          "source": {
            "advisory": "GHSA-7p2r-fp29-9w69",
            "discovery": "UNKNOWN"
          },
          "title": "Zen Browser Mac - Address Bar Spoofing via Long Subdomain"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44659",
        "datePublished": "2026-05-11T17:01:18.559Z",
        "dateReserved": "2026-05-07T16:20:08.659Z",
        "dateUpdated": "2026-05-12T16:13:51.896Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44658 (GCVE-0-2026-44658)

    Vulnerability from nvd – Published: 2026-05-11 17:00 – Updated: 2026-05-11 19:04
    VLAI
    Title
    Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation
    Summary
    Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    zen-browser desktop Affected: < 1.19.12b
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44658",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:22:28.229614Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T19:04:14.434Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "desktop",
              "vendor": "zen-browser",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.12b"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T17:00:31.639Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-cc9c-mmmf-c5j6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-cc9c-mmmf-c5j6"
            }
          ],
          "source": {
            "advisory": "GHSA-cc9c-mmmf-c5j6",
            "discovery": "UNKNOWN"
          },
          "title": "Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44658",
        "datePublished": "2026-05-11T17:00:31.639Z",
        "dateReserved": "2026-05-07T16:20:08.659Z",
        "dateUpdated": "2026-05-11T19:04:14.434Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41431 (GCVE-0-2026-41431)

    Vulnerability from nvd – Published: 2026-05-11 16:55 – Updated: 2026-05-11 18:31
    VLAI
    Title
    Zen Browser MAR updater ships with signature verification removed — unsigned updates accepted
    Summary
    Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    References
    Impacted products
    Vendor Product Version
    zen-browser desktop Affected: < 1.19.9b
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41431",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:31:13.968267Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:31:38.146Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "desktop",
              "vendor": "zen-browser",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.9b"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:55:10.814Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q"
            },
            {
              "name": "https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e"
            }
          ],
          "source": {
            "advisory": "GHSA-qpj9-m8jc-mw6q",
            "discovery": "UNKNOWN"
          },
          "title": "Zen Browser MAR updater ships with signature verification removed \u2014 unsigned updates accepted"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41431",
        "datePublished": "2026-05-11T16:55:10.814Z",
        "dateReserved": "2026-04-20T15:32:33.814Z",
        "dateUpdated": "2026-05-11T18:31:38.146Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57501 (GCVE-0-2026-57501)

    Vulnerability from cvelistv5 – Published: 2026-07-09 22:27 – Updated: 2026-07-10 20:59
    VLAI
    Title
    Zen: Context-menu "Open link in glance" / "Split link in new tab" loads a page-controlled link with the System principal, bypassing the web-content scheme restriction
    Summary
    Zen is a firefox-based browser. Prior to 1.21.5b, Zen's glance and split-view context-menu actions, Open link in glance and Split link in new tab, load a page-controlled link URL with the System principal instead of the originating page's principal, allowing a malicious web page to place a link to a file URL that can load with System privileges when opened through either context-menu item and bypass the content-to-file security check that blocks an ordinary click. This issue is fixed in version 1.21.5b.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    zen-browser desktop Affected: < 1.21.5b
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57501",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T20:46:27.753145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T20:59:23.914Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "desktop",
              "vendor": "zen-browser",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.21.5b"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Zen is a firefox-based browser. Prior to 1.21.5b, Zen\u0027s glance and split-view context-menu actions, Open link in glance and Split link in new tab, load a page-controlled link URL with the System principal instead of the originating page\u0027s principal, allowing a malicious web page to place a link to a file URL that can load with System privileges when opened through either context-menu item and bypass the content-to-file security check that blocks an ordinary click. This issue is fixed in version 1.21.5b."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 0,
                "baseSeverity": "NONE",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "CWE-266: Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-09T22:27:34.962Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-vpvg-hp3v-rm5q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-vpvg-hp3v-rm5q"
            },
            {
              "name": "https://github.com/zen-browser/desktop/commit/44f7616238208200547c7df500d945752d7b6379",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zen-browser/desktop/commit/44f7616238208200547c7df500d945752d7b6379"
            },
            {
              "name": "https://github.com/zen-browser/desktop/releases/tag/1.21.5b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zen-browser/desktop/releases/tag/1.21.5b"
            }
          ],
          "source": {
            "advisory": "GHSA-vpvg-hp3v-rm5q",
            "discovery": "UNKNOWN"
          },
          "title": "Zen: Context-menu \"Open link in glance\" / \"Split link in new tab\" loads a page-controlled link with the System principal, bypassing the web-content scheme restriction"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-57501",
        "datePublished": "2026-07-09T22:27:34.962Z",
        "dateReserved": "2026-06-24T14:53:40.112Z",
        "dateUpdated": "2026-07-10T20:59:23.914Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44659 (GCVE-0-2026-44659)

    Vulnerability from cvelistv5 – Published: 2026-05-11 17:01 – Updated: 2026-05-12 16:13
    VLAI
    Title
    Zen Browser Mac - Address Bar Spoofing via Long Subdomain
    Summary
    Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    zen-browser desktop Affected: < 1.19.12b
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44659",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T16:13:40.754441Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T16:13:51.896Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "desktop",
              "vendor": "zen-browser",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.12b"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T17:01:18.559Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69"
            }
          ],
          "source": {
            "advisory": "GHSA-7p2r-fp29-9w69",
            "discovery": "UNKNOWN"
          },
          "title": "Zen Browser Mac - Address Bar Spoofing via Long Subdomain"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44659",
        "datePublished": "2026-05-11T17:01:18.559Z",
        "dateReserved": "2026-05-07T16:20:08.659Z",
        "dateUpdated": "2026-05-12T16:13:51.896Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44658 (GCVE-0-2026-44658)

    Vulnerability from cvelistv5 – Published: 2026-05-11 17:00 – Updated: 2026-05-11 19:04
    VLAI
    Title
    Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation
    Summary
    Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    zen-browser desktop Affected: < 1.19.12b
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44658",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:22:28.229614Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T19:04:14.434Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "desktop",
              "vendor": "zen-browser",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.12b"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T17:00:31.639Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-cc9c-mmmf-c5j6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-cc9c-mmmf-c5j6"
            }
          ],
          "source": {
            "advisory": "GHSA-cc9c-mmmf-c5j6",
            "discovery": "UNKNOWN"
          },
          "title": "Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44658",
        "datePublished": "2026-05-11T17:00:31.639Z",
        "dateReserved": "2026-05-07T16:20:08.659Z",
        "dateUpdated": "2026-05-11T19:04:14.434Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41431 (GCVE-0-2026-41431)

    Vulnerability from cvelistv5 – Published: 2026-05-11 16:55 – Updated: 2026-05-11 18:31
    VLAI
    Title
    Zen Browser MAR updater ships with signature verification removed — unsigned updates accepted
    Summary
    Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    References
    Impacted products
    Vendor Product Version
    zen-browser desktop Affected: < 1.19.9b
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41431",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T18:31:13.968267Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T18:31:38.146Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "desktop",
              "vendor": "zen-browser",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.9b"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T16:55:10.814Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q"
            },
            {
              "name": "https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e"
            }
          ],
          "source": {
            "advisory": "GHSA-qpj9-m8jc-mw6q",
            "discovery": "UNKNOWN"
          },
          "title": "Zen Browser MAR updater ships with signature verification removed \u2014 unsigned updates accepted"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41431",
        "datePublished": "2026-05-11T16:55:10.814Z",
        "dateReserved": "2026-04-20T15:32:33.814Z",
        "dateUpdated": "2026-05-11T18:31:38.146Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }