Description
Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b.
Published: 2026-05-11
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zen Browser uses a function that turns RSS/Atom feed items into tabs with trusted privileges. The code that validates external URLs only checks the main feed URL for an http or https scheme, but the individual feed item links are not restricted. This discrepancy allows an attacker to supply a feed containing a non‑http/https link that will be added as a trusted lazy tab. If an attacker succeeds, they can execute code with elevated browser privileges, potentially compromising the user's system.

Affected Systems

Any installation of Zen Browser desktop prior to version 1.19.12b is affected. Vendors and systems that rely on the desktop edition and use the live‑folder RSS feature are in scope.

Risk and Exploitability

The CVSS score of 2.4 indicates that the technical impact is modest, yet the vulnerability enables the creation of trusted tabs from arbitrary feeds. Because a malicious feed can be presented to a local user, the attack vector is likely user‑initiated and local. EPSS data is not available, and the flaw is not listed in CISA’s KEV catalog, so it is not known to be actively exploited in the wild.

Generated by OpenCVE AI on May 11, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zen Browser to version 1.19.12b or later to apply the fix.
  • If an upgrade is not immediately possible, disable the live‑folder RSS feed feature in the application settings to prevent untrusted URLs from being converted into trusted tabs.
  • Manually review existing RSS feeds and ensure that item URLs use only http or https schemes before they are loaded into live folders.

Generated by OpenCVE AI on May 11, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Zen-browser
Zen-browser desktop
Vendors & Products Zen-browser
Zen-browser desktop

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b.
Title Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creation
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Zen-browser Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T19:04:14.434Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44658

cve-icon Vulnrichment

Updated: 2026-05-11T18:22:31.755Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:38.243

Modified: 2026-05-11T18:16:38.243

Link: CVE-2026-44658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:48Z

Weaknesses