Unsigned Code Delivery Vulnerability in Zen Browser by Zen
CVE-2026-41431

8HIGH

Key Information:

Vendor: Zen-browser
Status: Desktop
Vendor: CVE Published:; 11 May 2026

🔔 Create Zen-browser Vulnerability Alert

What is CVE-2026-41431?

Zen Browser, a derivative of Firefox, was found to contain a vulnerability due to the absence of cryptographic signature verification in its Mozilla Application Resource (MAR) updater. Prior to version 1.19.9b, the updater shipped with Zen Browser allowed for the installation of unsigned code, posing a significant risk if the update server or release pipeline was compromised. This vulnerability enables potential attackers to deliver arbitrary code to users through the auto-update mechanism, compromising the integrity and security of the browser's updates.

Affected Version(s)

desktop < 1.19.9b

References

https://github.com/zen-browser/desktop/security/advisorie...

x_refsource_CONFIRM

https://github.com/zen-browser/desktop/commit/270db6d6713...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41431 Data

JSON