Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Remote link delivery (AV:N), no auth (PR:N), user must click (UI:R); spoof crosses trust boundary (S:C) and corrupts user trust decisions (I:H), with no direct C or A impact.
Primary rating from Vendor (BCNY).
CVSS VectorVendor: BCNY
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.
AnalysisAI
Address bar spoofing in The Browser Company's Arc Search for Android allows remote attackers to render attacker-controlled content beneath a legitimate-looking URL in the address bar, enabling high-fidelity phishing against mobile users. The flaw maps to CWE-1021 (improper restriction of rendered UI layers) and carries a CVSS 7.4 due to the integrity impact on user trust decisions, though successful exploitation requires user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must open an attacker-supplied URL specifically within Arc Search on Android (UI:R) - the bug does not affect users on other browsers or platforms, and there is no server-side prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N is internally consistent: remote, low-complexity, no auth, but the victim must interact (likely by clicking a malicious link), and the scope change reflects how the spoof undermines the browser's trust boundary affecting the user's judgment about an entirely separate origin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a phishing link via SMS, email, or social media that, when opened in Arc Search on Android, triggers the spoofing condition so the address bar displays a trusted domain (e.g., a bank or SSO provider) while the page body renders the attacker's credential-harvesting form. The victim, seeing the expected URL, enters credentials or MFA codes that are exfiltrated to the attacker. … |
| Remediation | No vendor-released patch identified at time of analysis; users should update Arc Search for Android to the latest Play Store build as soon as The Browser Company publishes an advisory, and security teams should monitor https://hackerone.com/reports/3705306 for disclosure of the fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Arc Search for Android installations across the organization and notify all users of the vulnerability (CVE-2026-12348) with guidance to avoid clicking untrusted links. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37290