Description
ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
Published: 2026-03-20
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Phishing
Action: Update App
AI Analysis

Impact

ArcSearch for Android versions earlier than 1.12.7 can show a domain in the address bar that does not match the visible content after a user interacts with crafted web pages. This inconsistency allows an attacker to trick users into believing they are browsing a trusted site while the loaded page is actually from a malicious source, facilitating credential theft or other phishing attacks.

Affected Systems

The vulnerability impacts the BrowserCompany of New York’s ArcSearch application on Android devices running versions before 1.12.7. Any user with an older installation is susceptible until the application is updated to the patched release.

Risk and Exploitability

With a CVSS score of 7.4 the vulnerability is considered high severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. The description suggests that the attack is client‑side and does not involve privileged access; the attacker must deliver crafted web content that the user then interacts with in ArcSearch, making the vulnerability potentially exploitable through typical social engineering or malicious websites.

Generated by OpenCVE AI on March 20, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ArcSearch to version 1.12.7 or later.
  • If updating is not immediately possible, monitor the ArcSearch security bulletin at https://arc.net/security/bulletins for further guidance or patches.

Generated by OpenCVE AI on March 20, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://arc.net/security/bulletins cve-icon cve-icon
History

Thu, 16 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Thebrowser
Thebrowser arc Search
CPEs cpe:2.3:a:thebrowser:arc_search:*:*:*:*:*:android:*:*
Vendors & Products Thebrowser
Thebrowser arc Search

Mon, 23 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared The Browsercompany Of New York
The Browsercompany Of New York arcsearch
Vendors & Products The Browsercompany Of New York
The Browsercompany Of New York arcsearch

Fri, 20 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
Title Address bar spoofing risk in ArcSearch on Android
Weaknesses CWE-1021
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N'}

Subscriptions

The Browsercompany Of New York Arcsearch
Thebrowser Arc Search
cve-icon MITRE

Status: PUBLISHED

Assigner: BCNY

Published:

Updated: 2026-03-23T14:13:09.052Z

Reserved: 2026-02-11T21:24:56.878Z

Link: CVE-2026-2378

cve-icon Vulnrichment

Updated: 2026-03-23T14:13:05.578Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T22:16:27.497

Modified: 2026-04-16T14:34:33.427

Link: CVE-2026-2378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:32Z

Weaknesses