Zen Browser Mac – Address Bar Spoofing via Long Subdomain

4.7 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Description

Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.

Basic Information

ID CVE-2026-44659

Source GitHub_M

Published May 11, 2026 at 17:01

Affected Product

Vendor zen-browser

Product desktop

Version < 1.19.12b

Affected Versions zen-browser desktop < 1.19.12b

CWE Classification

CWE-451

References

github.com /zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69

{
    "lastseen": "",
    "description": "Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.",
    "published": "2026-05-11T17:01:18.559Z",
    "modified": "2026-05-11T17:01:18.559Z",
    "type": "cve",
    "title": "Zen Browser Mac - Address Bar Spoofing via Long Subdomain",
    "source": "GitHub_M",
    "references": "https://github.com/zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69",
    "id": "CVE-2026-44659",
    "bulletinFamily": "",
    "cwe": [
        "CWE-451"
    ],
    "cvelist": null,
    "sourceData": "zen-browser desktop < 1.19.12b",
    "sourceHref": "",
    "cvss": {
        "score": 4.7,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "desktop",
    "version": "< 1.19.12b",
    "vendor": "zen-browser",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Zen Browser Mac – Address Bar Spoofing via Long Subdomain_CVE-2026-44659