Skip to main content

Arc Search EUVDEUVD-2026-37290

| CVE-2026-12348 HIGH
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-06-16 BCNY
7.4
CVSS 3.1 · Vendor: BCNY
Share

Severity by source

Vendor (BCNY) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
vuln.today AI
7.4 HIGH

Remote link delivery (AV:N), no auth (PR:N), user must click (UI:R); spoof crosses trust boundary (S:C) and corrupts user trust decisions (I:H), with no direct C or A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (BCNY).

CVSS VectorVendor: BCNY

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 23:24 vuln.today
CVE Published
Jun 16, 2026 - 19:54 cve.org
HIGH 7.4

DescriptionCVE.org

Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.

AnalysisAI

Address bar spoofing in The Browser Company's Arc Search for Android allows remote attackers to render attacker-controlled content beneath a legitimate-looking URL in the address bar, enabling high-fidelity phishing against mobile users. The flaw maps to CWE-1021 (improper restriction of rendered UI layers) and carries a CVSS 7.4 due to the integrity impact on user trust decisions, though successful exploitation requires user interaction. No public exploit identified at time of analysis, but a HackerOne report (#3705306) suggests reproducible POC details exist within the disclosure program.

Technical ContextAI

Arc Search is a mobile browser developed by The Browser Company of New York that emphasizes AI-driven 'Browse for Me' summarization on Android. The vulnerability falls under CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), a class of UI redress flaws where the security-relevant chrome (in this case the address bar) becomes desynchronized from the content actually being rendered. Typical root causes include race conditions between navigation events and URL bar updates, mishandling of about:blank or javascript: navigations, or premature commit of a pending URL before the destination response is received. The CPE string identifies all versions of arc_search as affected, indicating the vendor has not yet scoped a fixed build range publicly.

RemediationAI

No vendor-released patch identified at time of analysis; users should update Arc Search for Android to the latest Play Store build as soon as The Browser Company publishes an advisory, and security teams should monitor https://hackerone.com/reports/3705306 for disclosure of the fixed version. As compensating controls until a patched build ships, organizations can restrict Arc Search via mobile device management on managed Android fleets and steer users to a browser with a confirmed-clean address-bar implementation, accepting the productivity trade-off of removing the AI summarization feature. End users should be advised not to rely on the address bar alone when assessing site authenticity in Arc Search and to verify HTTPS certificate details via the lock icon, recognizing this is an awkward workflow on mobile.

Share

EUVD-2026-37290 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy