Medium severity4.7NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-44659
CVE-2026-44659
Description
Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the actual registrable domain (eTLD+1). As a result, an attacker can craft extremely long malicious subdomains that visually imitate trusted brands, and the browser will display only the spoofed prefix, misleading users about the actual origin of the site. This directly compromises the URL bar as a security indicator and creates a phishing/supply-chain attack vector. This vulnerability is fixed in 1.19.12b.
Affected products
1- Range: <1.19.12b
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
50- TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS UpdatesThe Hacker News · May 15, 2026
- OpenAI caught in TanStack npm supply chain chaos after employee devices compromisedThe Register Security · May 15, 2026
- Microsoft warns of Exchange zero-day flaw exploited in attacksBleepingComputer · May 15, 2026
- TeamPCP hackers advertise Mistral AI code repos for saleBleepingComputer · May 14, 2026
- OpenAI confirms security breach in TanStack supply chain attackBleepingComputer · May 14, 2026
- Dell confirms its SupportAssist software causes Windows BSOD crashesBleepingComputer · May 14, 2026
- Microsoft says some users can't install Office on Windows 365 devicesBleepingComputer · May 13, 2026
- KDE gets over €1 million investment to strengthen security and core infrastructureHelp Net Security · May 13, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilitiesCisco Talos Intelligence · May 12, 2026
- Microsoft May 2026 Patch Tuesday: Many fixes, but no zero-daysHelp Net Security · May 12, 2026
- Microsoft releases Windows 10 KB5087544 extended security updateBleepingComputer · May 12, 2026
- Microsoft May 2026 Patch Tuesday, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026
- Windows 11 KB5089549 & KB5087420 cumulative updates releasedBleepingComputer · May 12, 2026
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-daysBleepingComputer · May 12, 2026
- Microsoft Patches 137 VulnerabilitiesSecurityWeek · May 12, 2026
- SAP unveils Autonomous Enterprise for AI-driven business operationsHelp Net Security · May 12, 2026
- Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 MalwareSecurityWeek · May 12, 2026
- State-sponsored actors, better known as the friends you don’t wantCisco Talos Intelligence · May 12, 2026
- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory LeakThe Hacker News · May 10, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 19SentinelOne Labs · May 8, 2026
- Helping North Korean IT remote workers is becoming a fast track to prisonHelp Net Security · May 8, 2026
- 60% of MD5 password hashes are crackable in under an hourThe Register Security · May 7, 2026
- Americans sentenced for running 'laptop farms' for North KoreaBleepingComputer · May 7, 2026
- ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New StoriesThe Hacker News · May 7, 2026
- Google Chrome’s silent 4GB AI download problem [updated]Malwarebytes Labs · May 6, 2026
- Muddying the Tracks: The State-Sponsored Shadow Behind Chaos RansomwareRapid7 Blog · May 6, 2026
- Sophisticated Quasar Linux RAT Targets Software DevelopersSecurityWeek · May 6, 2026
- Unpatched flaws turn Ollama’s auto-updater into a persistent RCE vector, researchers sayHelp Net Security · May 5, 2026
- Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise RiskDark Reading · May 5, 2026
- Update WhatsApp now: Two new flaws could expose you to malicious filesMalwarebytes Labs · May 5, 2026
- Microsoft: Phishing campaign used fake compliance notices to compromise employee accountsHelp Net Security · May 5, 2026
- ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and WindowsThe Hacker News · May 5, 2026
- A rigged game: ScarCruft compromises gaming platform in a supply-chain attackESET WeLiveSecurity · May 5, 2026
- Microsoft's bad obsession is showing up in shabby services and slipshod software. Here's proofThe Register Security · May 5, 2026
- Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 CountriesThe Hacker News · May 5, 2026
- RMM Tools Fuel Stealthy Phishing CampaignDark Reading · May 4, 2026
- Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM ToolsThe Hacker News · May 4, 2026
- ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & MoreThe Hacker News · May 4, 2026
- Lens Agents brings policy control to AI across cloud and desktopHelp Net Security · May 4, 2026
- Week in review: High-severity LPE vulnerability in the Linux kernel, cPanel 0-day exploited for monthsHelp Net Security · May 3, 2026
- China-Linked Hackers Target Asian Governments, NATO State, Journalists, and ActivistsThe Hacker News · May 1, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 18SentinelOne Labs · May 1, 2026
- Microsoft fixes Remote Desktop warnings displaying incorrectlyBleepingComputer · May 1, 2026
- Windows 11 KB5083631 update released with 34 changes and fixesBleepingComputer · May 1, 2026
- Open-source privacy proxy masks PII before prompts reach external AI servicesHelp Net Security · May 1, 2026
- ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More StoriesThe Hacker News · Apr 30, 2026
- EtherRAT Distribution Spoofing Administrative Tools via GitHub FacadesThe Hacker News · Apr 30, 2026
- What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, AsiaThe Register Security · Apr 30, 2026