Skip to main content

Google EUVDEUVD-2026-13808

| CVE-2026-2378 HIGH
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-03-20 BCNY
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 16, 2026 - 14:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:19 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.12.7
EUVD ID Assigned
Mar 20, 2026 - 21:31 euvd
EUVD-2026-13808
Analysis Generated
Mar 20, 2026 - 21:31 vuln.today
CVE Published
Mar 20, 2026 - 21:16 nvd
HIGH 7.4

DescriptionCVE.org

ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

AnalysisAI

ArcSearch for Android versions prior to 1.12.7 contains an address bar spoofing vulnerability that allows attackers to display a different domain in the browser's address bar than the actual content being rendered. Users of ArcSearch for Android prior to version 1.12.7 are affected, and an attacker can craft malicious web content that, after user interaction, deceives users into believing they are visiting a legitimate domain while viewing attacker-controlled content. There is no indication of active exploitation in KEV data, and EPSS data is not provided.

Technical ContextAI

The vulnerability affects ArcSearch for Android, a mobile browser application developed by The Browser Company of New York (CPE: cpe:2.3:a:the_browsercompany_of_new_york:arcsearch:*:*:*:*:*:*:*:*). This is classified as CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), which typically involves failures in properly synchronizing the displayed URL with the actual content origin. The root cause likely involves timing issues or race conditions in updating the address bar when content changes, or improper handling of navigation events that allow the visual indicator (address bar) to become desynchronized from the actual document origin. The tags reference XSS and Google, suggesting potential exploitation vectors involving cross-site scripting techniques or exploitation through Google-hosted content.

RemediationAI

Users should immediately upgrade ArcSearch for Android to version 1.12.7 or later, which addresses this address bar spoofing vulnerability. The patch can be obtained through the Google Play Store by updating the ArcSearch application or by visiting the vendor's security bulletin at https://arc.net/security/bulletins for direct download options and detailed upgrade instructions. Until patching is completed, users should exercise extreme caution when interacting with unfamiliar web content through ArcSearch for Android, manually verify URLs before entering credentials or sensitive information, and consider using an alternative mobile browser for accessing high-value targets such as banking or corporate authentication portals. Organizations deploying mobile device management solutions should push the update to managed devices and consider temporarily blocking access to sensitive resources from unpatched ArcSearch browser instances through user-agent filtering or conditional access policies.

Share

EUVD-2026-13808 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy