Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered phishing attack requiring user interaction (UI:R); scope changes externally (S:C) as victim trust decisions are undermined; low C and I reflect credential-theft risk rather than direct system compromise.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Zen is a firefox-based browser. Prior to 1.19.13b, Zen Browser did not provide a persistent, clearly visible security notification when a webpage entered fullscreen mode, allowing an attacker-controlled page to hide the real browser UI and origin information, imitate a trusted website UI, and combine with long-domain URL eliding to spoof a trusted origin for phishing and credential theft. This issue is fixed in version 1.19.13b.
AnalysisAI
Fullscreen mode in Zen Browser desktop prior to 1.19.13b exposes users to credential-theft phishing by failing to display a persistent, visible security notification when a webpage enters fullscreen. An attacker-controlled page can completely occlude the real browser chrome - including the address bar and origin indicators - then render a convincing imitation of a trusted site's login interface. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to be running Zen Browser desktop in any version prior to 1.19.13b and to visit an attacker-controlled webpage. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N accurately captures the threat profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a convincing lookalike domain (e.g., a long subdomain of a legitimate service) and hosts a clone of a target login page. When a Zen Browser user visits the page and clicks a UI element - triggering the required user gesture - the page calls the Fullscreen API, hiding all browser chrome with no persistent warning shown. … |
| Remediation | Upgrade Zen Browser desktop to version 1.19.13b or later, which introduces a persistent, clearly visible security notification when a webpage enters fullscreen mode. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the H
Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Serv
A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client wit
Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnost
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.5), thi
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Rated medium severity
Nextcloud is an open-source productivity platform. Rated medium severity (CVSS 6.4), this vulnerability is remotely expl
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.1), thi
Nexcloud desktop is the Desktop sync client for Nextcloud. Rated medium severity (CVSS 6.1), this vulnerability is remot
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate ve
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44703