PT-2026-39659 · Unknown · Zen Browser
Smoke-Wolf
·
Published
2026-05-11
·
Updated
2026-05-11
·
CVE-2026-41431
CVSS v3.1
8.0
High
| Vector | AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Zen Browser versions prior to 1.19.9b
Description
Zen Browser includes a Mozilla Application Resource (MAR) updater (
org.mozilla.updater) that lacks cryptographic signature verification. Because the updater binary contains no verification code and the MAR files contain no signatures, the defense-in-depth mechanism provided by MAR signing is absent. If the update server or GitHub release pipeline is compromised, an attacker could deliver arbitrary unsigned code to users through the auto-update mechanism.Recommendations
Update to version 1.19.9b.
Exploit
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zen Browser