Back to overview

CVE-2026-45150

MEDIUM Exploitation: PoC
6.3
CVSS 4.0
Description
Zen is a firefox-based browser. Prior to 1.19.13b, Zen Browser did not provide a persistent, clearly visible security notification when a webpage entered fullscreen mode, allowing an attacker-controlled page to hide the real browser UI and origin information, imitate a trusted website UI, and combine with long-domain URL eliding to spoof a trusted origin for phishing and credential theft. This issue is fixed in version 1.19.13b.

Metadata

CVE ID
CVE-2026-45150
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-08 20:44 UTC
Published
2026-07-15 15:35 UTC
Last updated
2026-07-15 17:44 UTC
Primary CWE
CWE-451
CWE-451: User Interface (UI) Misrepresentation of Critical I…
Vendor / Product
zen-browser / desktop
Sources
cve.org  ·  NVD

Severity & Metrics

6.3 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
zen-browser desktop < 1.19.13b
Weakness (CWE)
CWESourceDescription
CWE-451 cna CWE-451: User Interface (UI) Misrepresentation of Critical Information
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
References (1)
Back to overview