CVE-2025-15032
Published: 16 January 2026
Summary
CVE-2025-15032 is a high-severity Improper Restriction of Rendered UI Layers or Frames (CWE-1021) vulnerability in Diabrowser (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Match Legitimate Resource Name or Location (T1036.005); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2025-15032 affects Dia browser versions before 1.9.0 on macOS. The vulnerability stems from a missing about:blank indicator in custom-sized new windows, enabling attackers to spoof a trusted domain in the window title and mislead users about the current site. It has a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) and is associated with CWE-1021.
A remote attacker requires no privileges and can exploit this over the network with low attack complexity, though user interaction is necessary. Exploitation changes the scope of impact, resulting in high integrity effects but no confidentiality or availability disruption. Attackers can thereby deceive users into believing they are interacting with a legitimate trusted domain.
Dia has published a security bulletin addressing CVE-2025-15032 at https://www.diabrowser.com/security/bulletins#CVE-2025-15032, which security practitioners should consult for mitigation details and patch information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2869
Vulnerability details
Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables domain title spoofing in browser windows, directly facilitating masquerading of trusted resources and spearphishing via malicious links to deceive users.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that adds the missing about:blank indicator and eliminates the title-spoofing flaw.
Verifies that only the patched, untampered Dia binary is executed, blocking use of the vulnerable version that permits domain spoofing.
Requires a trusted path between user and security-relevant UI elements, which the missing indicator violates.