Description
Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.
Published: 2026-06-16
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Arc Search for Android has a window.open race condition that allows a remote attacker to cause the address bar to display a legitimate domain name while rendering attacker‑controlled content. This flaw, classified as CWE‑1021 (Incorrect Resource Access Control), lets a malicious site masquerade as a trusted site, enabling phishing attacks against users who trust the displayed URL.

Affected Systems

The affected product is Arc Search from The Browser Company of New York, available for Android devices. Version information is not provided in the CVE data, so all releases of Arc Search for Android should be considered potentially vulnerable until a patch is released.

Risk and Exploitability

The CVSS score of 7.4 denotes a high‑impact vulnerability, while the EPSS score of less than 1% indicates a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Attackers can trigger the race condition by inducing a window.open call, likely via a crafted link or malicious content accessed through Arc Search. If exploited, the attacker can perform phishing attacks that appear legitimate to users, potentially compromising credentials or personal information.

Generated by OpenCVE AI on June 17, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Arc Search to the latest version that fixes the race condition once released by The Browser Company.
  • If a patch is not yet available, disable or uninstall Arc Search from affected devices until the vulnerability is addressed.
  • Monitor The Browser Company’s security advisories and the CVE tracker for patch releases or additional mitigation guidance.

Generated by OpenCVE AI on June 17, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Fri, 26 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared The Browsercompany Of New York
The Browsercompany Of New York arcsearch
Vendors & Products The Browsercompany Of New York
The Browsercompany Of New York arcsearch

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.
Title Address Bar Spoofing in Arc Search for Android (window.open race condition)
Weaknesses CWE-1021
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N'}


Subscriptions

The Browsercompany Of New York Arcsearch
cve-icon MITRE

Status: PUBLISHED

Assigner: BCNY

Published:

Updated: 2026-06-17T15:03:25.893Z

Reserved: 2026-06-15T20:22:24.728Z

Link: CVE-2026-12348

cve-icon Vulnrichment

Updated: 2026-06-17T15:03:22.585Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T08:00:07Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames