CVE-2025-15032 - Vulnerability Details - OpenCVE

Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

Upgrade Dia to a version 1.9.0 or later

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.diabrowser.com/security/bulletins#CVE-2025-15032

History

Fri, 16 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.
Title		CVE-2025-15032: Increased Spoofing risk; custom new window missing about:blank
Weaknesses		CWE-1021
References		https://www.diabrowser.com/security/bulletins#CVE-2025-15032
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: BCNY

Published: 2026-01-16T18:11:32.153Z

Updated: 2026-01-16T18:35:45.651Z

Reserved: 2025-12-22T15:25:37.344Z

Link: CVE-2025-15032

Vulnrichment

Updated: 2026-01-16T18:35:36.532Z

NVD

Status : Received

Published: 2026-01-16T19:16:16.220

Modified: 2026-01-16T19:16:16.220

Link: CVE-2025-15032

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-1021

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15032", "assignerOrgId": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "state": "PUBLISHED", "assignerShortName": "BCNY", "dateReserved": "2025-12-22T15:25:37.344Z", "datePublished": "2026-01-16T18:11:32.153Z", "dateUpdated": "2026-01-16T18:35:45.651Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Dia", "vendor": "The Browser Company of New York", "versions": [{"lessThan": "1.9.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-01-16T18:11:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site."}], "value": "Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site."}], "impacts": [{"capecId": "CAPEC-148", "descriptions": [{"lang": "en", "value": "CAPEC-148 Content Spoofing"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1021", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "shortName": "BCNY", "dateUpdated": "2026-01-16T18:11:32.153Z"}, "references": [{"url": "https://www.diabrowser.com/security/bulletins#CVE-2025-15032"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade Dia to a version 1.9.0 or later"}], "value": "Upgrade Dia to a version 1.9.0 or later"}], "source": {"advisory": "BSEC-66", "discovery": "UNKNOWN"}, "title": "CVE-2025-15032: Increased Spoofing risk; custom new window missing about:blank", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T18:35:22.027061Z", "id": "CVE-2025-15032", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T18:35:45.651Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15032", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T18:35:22.027061Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T18:35:36.532Z"}}], "cna": {"title": "CVE-2025-15032: Increased Spoofing risk; custom new window missing about:blank", "source": {"advisory": "BSEC-66", "discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-148", "descriptions": [{"lang": "en", "value": "CAPEC-148 Content Spoofing"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "The Browser Company of New York", "product": "Dia", "versions": [{"status": "affected", "version": "0", "lessThan": "1.9.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade Dia to a version 1.9.0 or later", "supportingMedia": [{"type": "text/html", "value": "Upgrade Dia to a version 1.9.0 or later", "base64": false}]}], "datePublic": "2026-01-16T18:11:00.000Z", "references": [{"url": "https://www.diabrowser.com/security/bulletins#CVE-2025-15032"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.", "supportingMedia": [{"type": "text/html", "value": "Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1021", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames"}]}], "providerMetadata": {"orgId": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "shortName": "BCNY", "dateUpdated": "2026-01-16T18:11:32.153Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15032", "state": "PUBLISHED", "dateUpdated": "2026-01-16T18:35:45.651Z", "dateReserved": "2025-12-22T15:25:37.344Z", "assignerOrgId": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "datePublished": "2026-01-16T18:11:32.153Z", "assignerShortName": "BCNY"}, "dataVersion": "5.2"}