Skip to main content

Arc Search CVE-2026-12348

| EUVDEUVD-2026-37290 HIGH
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-06-16 BCNY
7.4
CVSS 3.1 · Vendor: BCNY
Share

Severity by source

Vendor (BCNY) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
vuln.today AI
7.4 HIGH

Remote link delivery (AV:N), no auth (PR:N), user must click (UI:R); spoof crosses trust boundary (S:C) and corrupts user trust decisions (I:H), with no direct C or A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (BCNY).

CVSS VectorVendor: BCNY

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 23:24 vuln.today
CVE Published
Jun 16, 2026 - 19:54 cve.org
HIGH 7.4

DescriptionCVE.org

Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.

AnalysisAI

Address bar spoofing in The Browser Company's Arc Search for Android allows remote attackers to render attacker-controlled content beneath a legitimate-looking URL in the address bar, enabling high-fidelity phishing against mobile users. The flaw maps to CWE-1021 (improper restriction of rendered UI layers) and carries a CVSS 7.4 due to the integrity impact on user trust decisions, though successful exploitation requires user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send phishing link to victim
Delivery
Victim opens link in Arc Search Android
Exploit
Trigger address bar desync
Execution
Render attacker content under trusted URL
Persist
Victim submits credentials to spoofed page
Impact
Exfiltrate captured credentials

Vulnerability AssessmentAI

Exploitation The victim must open an attacker-supplied URL specifically within Arc Search on Android (UI:R) - the bug does not affect users on other browsers or platforms, and there is no server-side prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N is internally consistent: remote, low-complexity, no auth, but the victim must interact (likely by clicking a malicious link), and the scope change reflects how the spoof undermines the browser's trust boundary affecting the user's judgment about an entirely separate origin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a phishing link via SMS, email, or social media that, when opened in Arc Search on Android, triggers the spoofing condition so the address bar displays a trusted domain (e.g., a bank or SSO provider) while the page body renders the attacker's credential-harvesting form. The victim, seeing the expected URL, enters credentials or MFA codes that are exfiltrated to the attacker. …
Remediation No vendor-released patch identified at time of analysis; users should update Arc Search for Android to the latest Play Store build as soon as The Browser Company publishes an advisory, and security teams should monitor https://hackerone.com/reports/3705306 for disclosure of the fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Arc Search for Android installations across the organization and notify all users of the vulnerability (CVE-2026-12348) with guidance to avoid clicking untrusted links. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy