Low severity2.4NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-44658
CVE-2026-44658
Description
Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...). This vulnerability is fixed in 1.19.12b.
Affected products
1- Range: <1.19.12b
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
50- TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS UpdatesThe Hacker News · May 15, 2026
- OpenAI caught in TanStack npm supply chain chaos after employee devices compromisedThe Register Security · May 15, 2026
- Microsoft warns of Exchange zero-day flaw exploited in attacksBleepingComputer · May 15, 2026
- TeamPCP hackers advertise Mistral AI code repos for saleBleepingComputer · May 14, 2026
- OpenAI confirms security breach in TanStack supply chain attackBleepingComputer · May 14, 2026
- Dell confirms its SupportAssist software causes Windows BSOD crashesBleepingComputer · May 14, 2026
- Microsoft says some users can't install Office on Windows 365 devicesBleepingComputer · May 13, 2026
- KDE gets over €1 million investment to strengthen security and core infrastructureHelp Net Security · May 13, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilitiesCisco Talos Intelligence · May 12, 2026
- Microsoft May 2026 Patch Tuesday: Many fixes, but no zero-daysHelp Net Security · May 12, 2026
- Microsoft releases Windows 10 KB5087544 extended security updateBleepingComputer · May 12, 2026
- Microsoft May 2026 Patch Tuesday, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026
- Windows 11 KB5089549 & KB5087420 cumulative updates releasedBleepingComputer · May 12, 2026
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-daysBleepingComputer · May 12, 2026
- Microsoft Patches 137 VulnerabilitiesSecurityWeek · May 12, 2026
- SAP unveils Autonomous Enterprise for AI-driven business operationsHelp Net Security · May 12, 2026
- Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 MalwareSecurityWeek · May 12, 2026
- State-sponsored actors, better known as the friends you don’t wantCisco Talos Intelligence · May 12, 2026
- South Staffordshire Water Fined £1m After Data BreachInfosecurity Magazine · May 12, 2026
- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory LeakThe Hacker News · May 10, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 19SentinelOne Labs · May 8, 2026
- Helping North Korean IT remote workers is becoming a fast track to prisonHelp Net Security · May 8, 2026
- CVE-2025-68670: discovering an RCE vulnerability in xrdpSecurelist · May 8, 2026
- 60% of MD5 password hashes are crackable in under an hourThe Register Security · May 7, 2026
- Americans sentenced for running 'laptop farms' for North KoreaBleepingComputer · May 7, 2026
- ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New StoriesThe Hacker News · May 7, 2026
- Exploits and vulnerabilities in Q1 2026Securelist · May 7, 2026
- Google Chrome’s silent 4GB AI download problem [updated]Malwarebytes Labs · May 6, 2026
- CloudZ Malware Abuses Phone Link to Steal SMS OTPsInfosecurity Magazine · May 6, 2026
- Muddying the Tracks: The State-Sponsored Shadow Behind Chaos RansomwareRapid7 Blog · May 6, 2026
- Iran-Linked APT Posed as Chaos Ransomware Member in Espionage CampaignInfosecurity Magazine · May 6, 2026
- Sophisticated Quasar Linux RAT Targets Software DevelopersSecurityWeek · May 6, 2026
- Unpatched flaws turn Ollama’s auto-updater into a persistent RCE vector, researchers sayHelp Net Security · May 5, 2026
- North Korean APT Targets Yanbian Gamers via Trojanized PlatformInfosecurity Magazine · May 5, 2026
- Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise RiskDark Reading · May 5, 2026
- Update WhatsApp now: Two new flaws could expose you to malicious filesMalwarebytes Labs · May 5, 2026
- Microsoft: Phishing campaign used fake compliance notices to compromise employee accountsHelp Net Security · May 5, 2026
- ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and WindowsThe Hacker News · May 5, 2026
- A rigged game: ScarCruft compromises gaming platform in a supply-chain attackESET WeLiveSecurity · May 5, 2026
- Microsoft's bad obsession is showing up in shabby services and slipshod software. Here's proofThe Register Security · May 5, 2026
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 CountriesThe Hacker News · May 5, 2026
- RMM Tools Fuel Stealthy Phishing CampaignDark Reading · May 4, 2026
- Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM ToolsThe Hacker News · May 4, 2026
- ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & MoreThe Hacker News · May 4, 2026
- Lens Agents brings policy control to AI across cloud and desktopHelp Net Security · May 4, 2026
- Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for monthsHelp Net Security · May 3, 2026
- China-Linked Hackers Target Asian Governments, NATO State, Journalists, and ActivistsThe Hacker News · May 1, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 18SentinelOne Labs · May 1, 2026