Skip to main content

Zen Browser CVE-2026-57501

NONE
Incorrect Privilege Assignment (CWE-266)
2026-07-09 GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
0.0 NONE
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N
vuln.today AI
9.3 CRITICAL

Network attacker, no auth needed, user must right-click (UI:R); System principal crosses browser security boundary (S:C) enabling local file read and potential write (C:H/I:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 23:35 vuln.today

DescriptionCVE.org

Zen is a firefox-based browser. Prior to 1.21.5b, Zen's glance and split-view context-menu actions, Open link in glance and Split link in new tab, load a page-controlled link URL with the System principal instead of the originating page's principal, allowing a malicious web page to place a link to a file URL that can load with System privileges when opened through either context-menu item and bypass the content-to-file security check that blocks an ordinary click. This issue is fixed in version 1.21.5b.

AnalysisAI

System principal privilege escalation in Zen Browser prior to 1.21.5b allows a malicious webpage to bypass Firefox's content-to-file security boundary by exploiting the browser's custom glance and split-view context-menu features. The 'Open link in glance' and 'Split link in new tab' actions navigate attacker-supplied file:// URLs using the System principal rather than the originating page's content principal, granting access to local filesystem contents that would be blocked by an ordinary click. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts page with file:// link
Delivery
Victim visits page in Zen Browser prior to 1.21.5b
Exploit
Victim right-clicks attacker link
Execution
Victim selects 'Open link in glance' or 'Split link in new tab'
Persist
Browser navigates file:// URL with System principal
Impact
Local file contents rendered in browser

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to be running Zen Browser desktop prior to version 1.21.5b - other Firefox-based browsers without the glance/split-view context-menu features are unaffected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N) carries a base score of 0.0 because all impact metrics are set to None - this is almost certainly a data entry error or placeholder and does not reflect the actual severity of the vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a webpage containing a hyperlink whose href points to a sensitive local file such as file:///etc/shadow or file:///C:/Users/victim/.ssh/id_rsa, styled to appear as legitimate document content. When a Zen Browser user visits the page and right-clicks the link to select 'Open link in glance' or 'Split link in new tab', the browser loads the file:// URL under the System principal, rendering the local file's contents directly in the glance panel or split tab. …
Remediation Upgrade Zen Browser to version 1.21.5b or later, which is confirmed as the patched release per the GitHub security advisory GHSA-vpvg-hp3v-rm5q (https://github.com/zen-browser/desktop/security/advisories/GHSA-vpvg-hp3v-rm5q) and the release page at https://github.com/zen-browser/desktop/releases/tag/1.21.5b; the underlying code fix is in commit 44f7616238208200547c7df500d945752d7b6379. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

CVE-2023-1802 HIGH POC
7.5 Apr 06

In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the H

CVE-2020-8227 MEDIUM POC
6.8 Aug 21

Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Serv

CVE-2020-8140 MEDIUM POC
6.7 Mar 20

A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client wit

CVE-2020-10665 MEDIUM POC
6.7 Mar 18

Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnost

CVE-2023-28997 MEDIUM POC
6.5 Apr 04

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.5), thi

CVE-2021-32728 MEDIUM POC
6.5 Aug 18

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Rated medium severity

CVE-2023-28999 MEDIUM POC
6.4 Apr 04

Nextcloud is an open-source productivity platform. Rated medium severity (CVSS 6.4), this vulnerability is remotely expl

CVE-2023-28998 MEDIUM POC
6.1 Apr 04

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.1), thi

CVE-2022-39333 MEDIUM POC
6.1 Nov 25

Nexcloud desktop is the Desktop sync client for Nextcloud. Rated medium severity (CVSS 6.1), this vulnerability is remot

CVE-2021-22895 MEDIUM POC
5.9 Jun 11

Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate ve

Share

CVE-2026-57501 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy