CVE-2026-44658
LOWZen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation
Title source: cnaDescription
Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/zen-browser/desktop/security/advisories/GHSA-cc9c-mmmf-c5j6
Scores
CVSS v3
2.4
EPSS
0.0004
EPSS Percentile
13.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (1)
zen-browser/desktop
< 1.19.12b
Published
May 11, 2026
Tracked Since
May 11, 2026