{"id":"CVE-2026-45150","summary":"Zen Browser - Missing Fullscreen Security Notification Allows Origin Spoofing","details":"Zen is a firefox-based browser. Prior to 1.19.13b, Zen Browser did not provide a persistent, clearly visible security notification when a webpage entered fullscreen mode, allowing an attacker-controlled page to hide the real browser UI and origin information, imitate a trusted website UI, and combine with long-domain URL eliding to spoof a trusted origin for phishing and credential theft. This issue is fixed in version 1.19.13b.","aliases":["GHSA-vjfv-85qf-v25c"],"modified":"2026-07-17T03:41:53.875010756Z","published":"2026-07-15T15:35:17.010Z","database_specific":{"cwe_ids":["CWE-451"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45150.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45150.json"},{"type":"ADVISORY","url":"https://github.com/zen-browser/desktop/security/advisories/GHSA-vjfv-85qf-v25c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45150"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zen-browser/desktop","events":[{"introduced":"0"},{"fixed":"f0a63fa7c5f74a77ffc52143ca4b0f22c8e47c9e"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.19.13b"}],"source":"AFFECTED_FIELD"}}],"versions":["1.19.12b","1.19.11b","1.19.10b","1.19.9b","1.19.8b","1.19.7b","1.19.6b","1.19.5b","1.19.4b","1.19.3b","1.19.2b","1.19.1b","1.19b","1.18.10b","twilight-1","1.18.9b","1.18.7b","1.18.6b","1.18.5b","1.18.4b","1.18.3b","1.18.2b","1.18.1b","1.18b","1.17.15b","1.17.14b","1.17.13b","1.17.12b","1.17.11b","1.17.10b","1.17.9b","1.17.8b","1.17.7b","1.17.6b","1.17.5b","1.17.3b","1.17.2b","1.17.1b","1.16.4b","1.16.3b","1.16.1b","1.16b","1.15.5b","1.15.4b","1.15.3b","1.15.2b","1.14.11b","1.14.10b","1.14.9b","1.14.8b","1.14.6b","1.14.5b","1.14.4b","1.14.3b","1.14.2b","1.14.1b","1.14b","1.13.2b","1.13.1b","1.13b","1.12.10b","1.12.9b","1.12.8b","1.12.7b","1.12.6b","1.12.5b","1.12.4b","1.12.3b","1.12.2b","1.12b","1.11.5b","1.11.4b","1.11.1b","1.11b","1.10.3b","1.10b","1.9b","1.8.2b","1.8.1b","1.8b","1.7.6b","1.7.4b","1.7.3b","1.7.2b","1.7.1b","1.7b","1.6b","1.0.2-b.5","1.0.2-b.4","1.0.2-b.3","1.0.2-b.2","1.0.2-b.1","1.0.2-b.0","1.0.1-a.19","1.0.1-a.21","1.0.1-a.20","1.0.1-a.18","1.0.1-a.17","1.0.1-a.16","1.0.1-a.15","1.0.1-a.14","1.0.1-a.13","1.0.1-a.12","1.0.1-a.11","1.0.1-a.10","1.0.1-a.9","1.0.1-a.8","1.0.1-a.7","1.0.1-a.6","1.0.1-a.5","1.0.1-a.4","1.0.1-a.3","1.0.1-a.2","1.0.1-a.1","1.0.0-a.39","1.0.0-a.35","1.0.0-a.34","1.0.0-a.33","1.0.0-a.32","1.0.0-a.31","1.0.0-a.30","1.0.0-a.29","1.0.0-a.27","1.0.0-a.26","1.0.0-a.24","1.0.0-a.23","1.0.0-a.16","1.0.0-a.15","1.0.0-a.14","1.0.0-a.13","1.0.0-a.12","1.0.0-a.11","1.0.0-a.10","1.0.0-a.9","1.0.0-a.8","1.0.0-a.7","1.0.0-a.6","1.0.0-a.5","1.0.0-a.4","1.0.0-a.3","1.0.0-a.2","1.0.0-a.1","0.0.0-a.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45150.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"}]}