Description
Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.
Published: 2026-05-11
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zen Browser prior to 1.19.12b truncates excessively long hostnames in the URL bar, displaying only the attacker‑controlled subdomain prefix and hiding the real registrable domain (eTLD+1). This compromises the address bar as a trusted security indicator, allowing an attacker to craft long malicious subdomains that visually imitate trusted brands. The result is a phishing or supply‑chain attack vector that misleads users about the actual origin of the website.

Affected Systems

Zen Browser, Desktop edition, any release earlier than 1.19.12b. The vulnerability exists in all affected versions until the fix is applied via the 1.19.12b release.

Risk and Exploitability

The CVSS score is 4.7, indicating moderate severity. EPSS is not available and the vulnerability is not listed in CISA KEV. Attackers exploit the flaw by hosting malicious sites with long subdomains; users who visit such sites will see a spoofed address bar and may trust the site. The lack of availability of EPSS data makes the exact exploitation probability unclear, but the potential for widespread phishing makes this moderate risk.

Generated by OpenCVE AI on May 11, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zen Browser to version 1.19.12b or later.
  • Train users to cross‑check the domain in the address bar and watch for unusually long subdomains.
  • Monitor for phishing attempts that use long subdomains and consider filtering such domains if possible.

Generated by OpenCVE AI on May 11, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Zen-browser
Zen-browser desktop
Vendors & Products Zen-browser
Zen-browser desktop

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.
Title Zen Browser Mac - Address Bar Spoofing via Long Subdomain
Weaknesses CWE-451
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N'}

Subscriptions

Zen-browser Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T16:13:51.896Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44659

cve-icon Vulnrichment

Updated: 2026-05-12T16:13:46.939Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:38.380

Modified: 2026-05-11T18:16:38.380

Link: CVE-2026-44659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:47Z

Weaknesses