CVE-2025-15032
Published: 16 January 2026
Summary
CVE-2025-15032 is a high-severity Improper Restriction of Rendered UI Layers or Frames (CWE-1021) vulnerability in Diabrowser (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Match Legitimate Resource Name or Location (T1036.005); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables domain title spoofing in browser windows, directly facilitating masquerading of trusted resources and spearphishing via malicious links to deceive users.
NVD Description
Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.
Deeper analysisAI
CVE-2025-15032 affects Dia browser versions before 1.9.0 on macOS. The vulnerability stems from a missing about:blank indicator in custom-sized new windows, enabling attackers to spoof a trusted domain in the window title and mislead users about the current site. It has a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) and is associated with CWE-1021.
A remote attacker requires no privileges and can exploit this over the network with low attack complexity, though user interaction is necessary. Exploitation changes the scope of impact, resulting in high integrity effects but no confidentiality or availability disruption. Attackers can thereby deceive users into believing they are interacting with a legitimate trusted domain.
Dia has published a security bulletin addressing CVE-2025-15032 at https://www.diabrowser.com/security/bulletins#CVE-2025-15032, which security practitioners should consult for mitigation details and patch information.
Details
- CWE(s)