Skip to main content

Zen Browser EUVDEUVD-2026-44703

| CVE-2026-45150 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-07-15 GitHub_M
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-delivered phishing attack requiring user interaction (UI:R); scope changes externally (S:C) as victim trust decisions are undermined; low C and I reflect credential-theft risk rather than direct system compromise.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 15, 2026 - 17:48 EUVD
Analysis Generated
Jul 15, 2026 - 16:19 vuln.today

DescriptionCVE.org

Zen is a firefox-based browser. Prior to 1.19.13b, Zen Browser did not provide a persistent, clearly visible security notification when a webpage entered fullscreen mode, allowing an attacker-controlled page to hide the real browser UI and origin information, imitate a trusted website UI, and combine with long-domain URL eliding to spoof a trusted origin for phishing and credential theft. This issue is fixed in version 1.19.13b.

AnalysisAI

Fullscreen mode in Zen Browser desktop prior to 1.19.13b exposes users to credential-theft phishing by failing to display a persistent, visible security notification when a webpage enters fullscreen. An attacker-controlled page can completely occlude the real browser chrome - including the address bar and origin indicators - then render a convincing imitation of a trusted site's login interface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Victim visits attacker-controlled URL
Delivery
User gesture triggers Fullscreen API call
Exploit
Browser enters fullscreen with no persistent security indicator
Install
Real browser chrome (address bar, origin) fully hidden
C2
Attacker renders trusted-site UI clone full-screen
Execute
Victim submits credentials to attacker-controlled form
Impact
Credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to be running Zen Browser desktop in any version prior to 1.19.13b and to visit an attacker-controlled webpage. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N accurately captures the threat profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a convincing lookalike domain (e.g., a long subdomain of a legitimate service) and hosts a clone of a target login page. When a Zen Browser user visits the page and clicks a UI element - triggering the required user gesture - the page calls the Fullscreen API, hiding all browser chrome with no persistent warning shown. …
Remediation Upgrade Zen Browser desktop to version 1.19.13b or later, which introduces a persistent, clearly visible security notification when a webpage enters fullscreen mode. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

CVE-2023-1802 HIGH POC
7.5 Apr 06

In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the H

CVE-2020-8227 MEDIUM POC
6.8 Aug 21

Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Serv

CVE-2020-8140 MEDIUM POC
6.7 Mar 20

A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client wit

CVE-2020-10665 MEDIUM POC
6.7 Mar 18

Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTEM because it mishandles the collection of diagnost

CVE-2023-28997 MEDIUM POC
6.5 Apr 04

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.5), thi

CVE-2021-32728 MEDIUM POC
6.5 Aug 18

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Rated medium severity

CVE-2023-28999 MEDIUM POC
6.4 Apr 04

Nextcloud is an open-source productivity platform. Rated medium severity (CVSS 6.4), this vulnerability is remotely expl

CVE-2023-28998 MEDIUM POC
6.1 Apr 04

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Rated medium severity (CVSS 6.1), thi

CVE-2022-39333 MEDIUM POC
6.1 Nov 25

Nexcloud desktop is the Desktop sync client for Nextcloud. Rated medium severity (CVSS 6.1), this vulnerability is remot

CVE-2021-22895 MEDIUM POC
5.9 Jun 11

Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate ve

Share

EUVD-2026-44703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy