CVE-2026-44659
Zen Browser Mac - Address Bar Spoofing via Long Subdomain
CVSS Score
4.7
EPSS Score
0.0%
EPSS Percentile
7th
Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.
| CWE | CWE-451 |
| Vendor | zen-browser |
| Product | desktop |
| Published | May 11, 2026 |
| Last Updated | May 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for zen-browser desktop
Be the first to know when new medium vulnerabilities affecting zen-browser desktop are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
Affected Versions
zen-browser / desktop
< 1.19.12b