PT-2026-39659 · Unknown · Zen Browser

Smoke-Wolf

·

Published

2026-05-11

·

Updated

2026-05-11

·

CVE-2026-41431

CVSS v3.1

8.0

High

VectorAV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Zen Browser versions prior to 1.19.9b
Description Zen Browser includes a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that lacks cryptographic signature verification. Because the updater binary contains no verification code and the MAR files contain no signatures, the defense-in-depth mechanism provided by MAR signing is absent. If the update server or GitHub release pipeline is compromised, an attacker could deliver arbitrary unsigned code to users through the auto-update mechanism.
Recommendations Update to version 1.19.9b.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41431
GHSA-QPJ9-M8JC-MW6Q

Affected Products

Zen Browser