CVE-2026-57501 in Zeninfo

Summary

by MITRE • 07/10/2026

Zen is a firefox-based browser. Prior to 1.21.5b, Zen's glance and split-view context-menu actions, Open link in glance and Split link in new tab, load a page-controlled link URL with the System principal instead of the originating page's principal, allowing a malicious web page to place a link to a file URL that can load with System privileges when opened through either context-menu item and bypass the content-to-file security check that blocks an ordinary click. This issue is fixed in version 1.21.5b.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability affects Zen browser versions prior to 1.21.5b and represents a critical privilege escalation flaw in the browser's context menu handling mechanisms. The vulnerability stems from improper principal assignment when processing web page links through specific glance and split-view context menu actions. When users select "Open link in glance" or "Split link in new tab" from the context menu, the browser incorrectly loads page-controlled URLs using the system principal rather than the originating page's principal. This misconfiguration creates a significant security gap that allows malicious web pages to craft links pointing to local file URLs and execute them with elevated privileges.

The technical flaw resides in the browser's security model implementation where the System principal grants extensive permissions typically reserved for privileged operations, bypassing normal content-to-file access restrictions that would normally prevent web content from directly accessing local filesystem resources. This misapplication of security principals enables a malicious website to construct specially crafted links that, when clicked through the affected context menu actions, execute with system-level privileges instead of being restricted to the originating page's sandboxed environment. The vulnerability specifically impacts the browser's handling of file URLs and demonstrates a failure in proper privilege management during URL loading operations.

The operational impact of this vulnerability is severe as it allows remote code execution capabilities against users who interact with malicious web content through the affected context menu actions. An attacker could craft a webpage containing links that, when opened via the glance or split-view functionality, load local files with system privileges, potentially enabling full system compromise. This represents a classic cross-site scripting attack vector that leverages browser security model weaknesses to escalate privileges from web content to system-level operations.

This vulnerability maps to CWE-264 in the Common Weakness Enumeration catalog, specifically addressing "Permissions, Privileges, and Access Controls" where improper privilege management leads to unauthorized access. The issue also aligns with ATT&CK technique T1059 which covers command and scripting interpreter usage, as the compromised browser could potentially execute malicious code through system-level file access. Additionally, this represents a privilege escalation vulnerability that could be chained with other attacks to achieve complete system compromise.

The fix implemented in Zen version 1.21.5b addresses the core issue by ensuring proper principal assignment during URL loading operations for context menu actions. The update correctly implements the originating page's security context when processing links through glance and split-view functionality, preventing malicious web content from bypassing normal file access restrictions. Users should immediately upgrade to version 1.21.5b or later to remediate this vulnerability and restore proper browser security boundaries between web content and local system resources.

Responsible

GitHub M

Reservation

06/24/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!