CVE-2026-45150 PUBLISHED

Zen Browser - Missing Fullscreen Security Notification Allows Origin Spoofing

Assigner: GitHub_M
Reserved: 08.05.2026 Published: 15.07.2026 Updated: 15.07.2026

Zen is a firefox-based browser. Prior to 1.19.13b, Zen Browser did not provide a persistent, clearly visible security notification when a webpage entered fullscreen mode, allowing an attacker-controlled page to hide the real browser UI and origin information, imitate a trusted website UI, and combine with long-domain URL eliding to spoof a trusted origin for phishing and credential theft. This issue is fixed in version 1.19.13b.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
CVSS Score: 6.3

Product Status

Vendor zen-browser
Product desktop
Versions
  • Version < 1.19.13b is affected

References

Problem Types

  • CWE-451: User Interface (UI) Misrepresentation of Critical Information CWE