High severity8.0NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-41431
CVE-2026-41431
Description
Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
50- TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS UpdatesThe Hacker News · May 15, 2026
- OpenAI caught in TanStack npm supply chain chaos after employee devices compromisedThe Register Security · May 15, 2026
- Microsoft warns of Exchange zero-day flaw exploited in attacksBleepingComputer · May 15, 2026
- TeamPCP hackers advertise Mistral AI code repos for saleBleepingComputer · May 14, 2026
- OpenAI confirms security breach in TanStack supply chain attackBleepingComputer · May 14, 2026
- Dell confirms its SupportAssist software causes Windows BSOD crashesBleepingComputer · May 14, 2026
- Microsoft says some users can't install Office on Windows 365 devicesBleepingComputer · May 13, 2026
- KDE gets over €1 million investment to strengthen security and core infrastructureHelp Net Security · May 13, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilitiesCisco Talos Intelligence · May 12, 2026
- Microsoft May 2026 Patch Tuesday: Many fixes, but no zero-daysHelp Net Security · May 12, 2026
- Microsoft releases Windows 10 KB5087544 extended security updateBleepingComputer · May 12, 2026
- Microsoft May 2026 Patch Tuesday, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026
- Windows 11 KB5089549 & KB5087420 cumulative updates releasedBleepingComputer · May 12, 2026
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-daysBleepingComputer · May 12, 2026
- Microsoft Patches 137 VulnerabilitiesSecurityWeek · May 12, 2026
- SAP unveils Autonomous Enterprise for AI-driven business operationsHelp Net Security · May 12, 2026
- Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 MalwareSecurityWeek · May 12, 2026
- State-sponsored actors, better known as the friends you don’t wantCisco Talos Intelligence · May 12, 2026
- South Staffordshire Water Fined £1m After Data BreachInfosecurity Magazine · May 12, 2026
- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory LeakThe Hacker News · May 10, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 19SentinelOne Labs · May 8, 2026
- Helping North Korean IT remote workers is becoming a fast track to prisonHelp Net Security · May 8, 2026
- CVE-2025-68670: discovering an RCE vulnerability in xrdpSecurelist · May 8, 2026
- 60% of MD5 password hashes are crackable in under an hourThe Register Security · May 7, 2026
- Americans sentenced for running 'laptop farms' for North KoreaBleepingComputer · May 7, 2026
- ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New StoriesThe Hacker News · May 7, 2026
- Exploits and vulnerabilities in Q1 2026Securelist · May 7, 2026
- Google Chrome’s silent 4GB AI download problem [updated]Malwarebytes Labs · May 6, 2026
- CloudZ Malware Abuses Phone Link to Steal SMS OTPsInfosecurity Magazine · May 6, 2026
- Muddying the Tracks: The State-Sponsored Shadow Behind Chaos RansomwareRapid7 Blog · May 6, 2026
- Iran-Linked APT Posed as Chaos Ransomware Member in Espionage CampaignInfosecurity Magazine · May 6, 2026
- Sophisticated Quasar Linux RAT Targets Software DevelopersSecurityWeek · May 6, 2026
- Unpatched flaws turn Ollama’s auto-updater into a persistent RCE vector, researchers sayHelp Net Security · May 5, 2026
- North Korean APT Targets Yanbian Gamers via Trojanized PlatformInfosecurity Magazine · May 5, 2026
- Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise RiskDark Reading · May 5, 2026
- Update WhatsApp now: Two new flaws could expose you to malicious filesMalwarebytes Labs · May 5, 2026
- Microsoft: Phishing campaign used fake compliance notices to compromise employee accountsHelp Net Security · May 5, 2026
- ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and WindowsThe Hacker News · May 5, 2026
- A rigged game: ScarCruft compromises gaming platform in a supply-chain attackESET WeLiveSecurity · May 5, 2026
- Microsoft's bad obsession is showing up in shabby services and slipshod software. Here's proofThe Register Security · May 5, 2026
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 CountriesThe Hacker News · May 5, 2026
- RMM Tools Fuel Stealthy Phishing CampaignDark Reading · May 4, 2026
- Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM ToolsThe Hacker News · May 4, 2026
- ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & MoreThe Hacker News · May 4, 2026
- Lens Agents brings policy control to AI across cloud and desktopHelp Net Security · May 4, 2026
- Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for monthsHelp Net Security · May 3, 2026
- China-Linked Hackers Target Asian Governments, NATO State, Journalists, and ActivistsThe Hacker News · May 1, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 18SentinelOne Labs · May 1, 2026