Zen Browser CVE-2026-57501
NONESeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N
Network attacker, no auth needed, user must right-click (UI:R); System principal crosses browser security boundary (S:C) enabling local file read and potential write (C:H/I:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Zen is a firefox-based browser. Prior to 1.21.5b, Zen's glance and split-view context-menu actions, Open link in glance and Split link in new tab, load a page-controlled link URL with the System principal instead of the originating page's principal, allowing a malicious web page to place a link to a file URL that can load with System privileges when opened through either context-menu item and bypass the content-to-file security check that blocks an ordinary click. This issue is fixed in version 1.21.5b.
AnalysisAI
System principal privilege escalation in Zen Browser prior to 1.21.5b allows a malicious webpage to bypass Firefox's content-to-file security boundary by exploiting the browser's custom glance and split-view context-menu features. The 'Open link in glance' and 'Split link in new tab' actions navigate attacker-supplied file:// URLs using the System principal rather than the originating page's content principal, granting access to local filesystem contents that would be blocked by an ordinary click. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to be running Zen Browser desktop prior to version 1.21.5b - other Firefox-based browsers without the glance/split-view context-menu features are unaffected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N) carries a base score of 0.0 because all impact metrics are set to None - this is almost certainly a data entry error or placeholder and does not reflect the actual severity of the vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a webpage containing a hyperlink whose href points to a sensitive local file such as file:///etc/shadow or file:///C:/Users/victim/.ssh/id_rsa, styled to appear as legitimate document content. When a Zen Browser user visits the page and right-clicks the link to select 'Open link in glance' or 'Split link in new tab', the browser loads the file:// URL under the System principal, rendering the local file's contents directly in the glance panel or split tab. … |
| Remediation | Upgrade Zen Browser to version 1.21.5b or later, which is confirmed as the patched release per the GitHub security advisory GHSA-vpvg-hp3v-rm5q (https://github.com/zen-browser/desktop/security/advisories/GHSA-vpvg-hp3v-rm5q) and the release page at https://github.com/zen-browser/desktop/releases/tag/1.21.5b; the underlying code fix is in commit 44f7616238208200547c7df500d945752d7b6379. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the H
Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Serv
A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client wit
Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnost
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.5), thi
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Rated medium severity
Nextcloud is an open-source productivity platform. Rated medium severity (CVSS 6.4), this vulnerability is remotely expl
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.1), thi
Nexcloud desktop is the Desktop sync client for Nextcloud. Rated medium severity (CVSS 6.1), this vulnerability is remot
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate ve
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today