CVE-2026-44659

Source
https://cve.org/CVERecord?id=CVE-2026-44659
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44659.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44659
Aliases
  • GHSA-7p2r-fp29-9w69
Published
2026-05-11T17:01:18.559Z
Modified
2026-07-15T01:48:58.058194090Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N CVSS Calculator
Summary
Zen Browser Mac - Address Bar Spoofing via Long Subdomain
Details

Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-451"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44659.json"
}
References

Affected packages

Git / github.com/zen-browser/desktop

Affected ranges

Type
GIT
Repo
https://github.com/zen-browser/desktop
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.19.12b"
        }
    ]
}

Affected versions

0.*
0.0.0-a.1
1.*
1.0.0-a.1
1.0.0-a.10
1.0.0-a.11
1.0.0-a.12
1.0.0-a.13
1.0.0-a.14
1.0.0-a.15
1.0.0-a.16
1.0.0-a.2
1.0.0-a.23
1.0.0-a.24
1.0.0-a.26
1.0.0-a.27
1.0.0-a.29
1.0.0-a.3
1.0.0-a.30
1.0.0-a.31
1.0.0-a.32
1.0.0-a.33
1.0.0-a.34
1.0.0-a.35
1.0.0-a.39
1.0.0-a.4
1.0.0-a.5
1.0.0-a.6
1.0.0-a.7
1.0.0-a.8
1.0.0-a.9
1.0.1-a.1
1.0.1-a.10
1.0.1-a.11
1.0.1-a.12
1.0.1-a.13
1.0.1-a.14
1.0.1-a.15
1.0.1-a.16
1.0.1-a.17
1.0.1-a.18
1.0.1-a.19
1.0.1-a.2
1.0.1-a.20
1.0.1-a.21
1.0.1-a.3
1.0.1-a.4
1.0.1-a.5
1.0.1-a.6
1.0.1-a.7
1.0.1-a.8
1.0.1-a.9
1.0.2-b.0
1.0.2-b.1
1.0.2-b.2
1.0.2-b.3
1.0.2-b.4
1.0.2-b.5
1.10.3b
1.10b
1.11.1b
1.11.4b
1.11.5b
1.11b
1.12.10b
1.12.2b
1.12.3b
1.12.4b
1.12.5b
1.12.6b
1.12.7b
1.12.8b
1.12.9b
1.12b
1.13.1b
1.13.2b
1.13b
1.14.10b
1.14.11b
1.14.1b
1.14.2b
1.14.3b
1.14.4b
1.14.5b
1.14.6b
1.14.8b
1.14.9b
1.14b
1.15.2b
1.15.3b
1.15.4b
1.15.5b
1.16.1b
1.16.3b
1.16.4b
1.16b
1.17.10b
1.17.11b
1.17.12b
1.17.13b
1.17.14b
1.17.15b
1.17.1b
1.17.2b
1.17.3b
1.17.5b
1.17.6b
1.17.7b
1.17.8b
1.17.9b
1.18.10b
1.18.1b
1.18.2b
1.18.3b
1.18.4b
1.18.5b
1.18.6b
1.18.7b
1.18.9b
1.18b
1.19.10b
1.19.11b
1.19.1b
1.19.2b
1.19.3b
1.19.4b
1.19.5b
1.19.6b
1.19.7b
1.19.8b
1.19.9b
1.19b
1.6b
1.7.1b
1.7.2b
1.7.3b
1.7.4b
1.7.6b
1.7b
1.8.1b
1.8.2b
1.8b
1.9b
Other
twilight-1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44659.json"