CVE-2026-44659
MEDIUMZen Browser Mac - Address Bar Spoofing via Long Subdomain
Title source: cnaDescription
Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69
Scores
CVSS v3
4.7
EPSS
0.0016
EPSS Percentile
6.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-451
Status
published
Products (1)
zen-browser/desktop
< 1.19.12b
Published
May 11, 2026
Tracked Since
May 11, 2026