CVE-2026-41431— Zen Browser MAR updater ships with signature verification removed — unsigned updates accepted
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41431
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Zen Browser MAR updater ships with signature verification removed — unsigned updates accepted
Source: NVD (National Vulnerability Database)
Vulnerability Description
Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
密码学签名的验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Zen 数据伪造问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Zen是Zen开源的一款基于Firefox的高效生产力浏览器。 Zen 1.19.9b之前版本存在数据伪造问题漏洞,该漏洞源于从Firefox代码库剥离了所有MAR签名验证,导致MAR文件包含零加密签名且更新程序包含零加密验证代码,如果更新服务器或GitHub发布管道被攻破,可通过自动更新机制向所有用户提供任意未签名代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| zen-browser | desktop | < 1.19.9b | - |
II. Public POCs for CVE-2026-41431
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41431
请登录查看更多情报信息。
Same Patch Batch · zen-browser · 2026-05-11 · 3 CVEs total
| CVE-2026-44659 | 4.7 MEDIUM | Zen Browser Mac - Address Bar Spoofing via Long Subdomain |
| CVE-2026-44658 | 2.4 LOW | Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restricted Before Trusted Tab Creati |
IV. Related Vulnerabilities
Same product: desktop
- CVE-2026-44659
Zen Browser Mac - Address Bar Spoofing via Long Subdomain - CVE-2026-44658
Zen Browser: RSS Live-Folder Item URLs Are Not Scheme-Restri - CVE-2026-7701
Telegram Desktop Bot API url_auth_box.cpp RequestButton null - CVE-2025-14414
Soda PDF Desktop Word File Insufficient UI Warning Remote Co - CVE-2025-14415
Soda PDF Desktop Launch Insufficient UI Warning Remote Code
Same weakness: CWE-347
V. Comments for CVE-2026-41431
No comments yet