Skip to content

Context-menu "Open link in glance" / "Split link in new tab" loads a page-controlled link with the System principal

Low
mr-cheffy published GHSA-vpvg-hp3v-rm5q Jul 2, 2026

Package

zen-browser/desktop (zen-browser/desktop)

Affected versions

<= 1.21.4b

Patched versions

>= 1.21.5b

Description

Zen's glance and split-view context-menu actions — "Open link in glance" and "Split link in new tab" — load a page-controlled link URL with the System principal instead of the originating page's principal. A malicious web page can place a link to a file:// URL (which a web origin is normally forbidden to load); if the user opens that link via either context-menu item, it loads with System privileges, bypassing the content→file: security check that blocks an ordinary click. Exploitation requires a user gesture (right-click → menu item). javascript: and chrome:// targets did not load on this path in testing, and the loaded file:// document is cross-origin to the attacker page, so this is a privilege/principal-escalation that exposes local files, not code execution or silent file theft. Severity: Medium (CWE-266), the same defect class as CVE-2026-44658.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N

CVE ID

CVE-2026-57501

Weaknesses

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. Learn more on MITRE.

Credits