CVE-2026-41431

HIGH 8.0

Zen Browser MAR updater ships with signature verification removed — unsigned updates accepted

CVSS Score

8.0

EPSS Score

0.0%

EPSS Percentile

0th

Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.

CWE	CWE-347
Vendor	zen-browser
Product	desktop
Published	May 11, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for zen-browser desktop

Be the first to know when new high vulnerabilities affecting zen-browser desktop are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

zen-browser / desktop

< 1.19.9b

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q github.com: https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e