CVE-2026-2378

ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://arc.net/security/bulletins	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:thebrowser:arc_search:*:*:*:*:*:android:*:*

History

16 Apr 2026, 14:34

Type	Values Removed	Values Added
References	~~() https://arc.net/security/bulletins -~~	() https://arc.net/security/bulletins - Vendor Advisory
CPE		cpe:2.3:a:thebrowser:arc_search::::::android::*
First Time		Thebrowser Thebrowser arc Search
Summary		(es) ArcSearch para versiones de Android anteriores a la 1.12.7 podría mostrar un dominio diferente en la barra de direcciones al contenido que se mostraba, permitiendo la suplantación de la barra de direcciones después de la interacción del usuario mediante contenido web manipulado.

20 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 22:16

Updated : 2026-04-16 14:34

NVD link : CVE-2026-2378

Mitre link : CVE-2026-2378

CVE.ORG link : CVE-2026-2378

JSON object : View

Products Affected

thebrowser

arc_search

CWE

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

{"id": "CVE-2026-2378", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T22:16:27.497", "references": [{"url": "https://arc.net/security/bulletins", "tags": ["Vendor Advisory"], "source": "59469e6c-7ea7-446f-8e43-06aa32c115e8"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "description": [{"lang": "en", "value": "CWE-1021"}]}], "descriptions": [{"lang": "en", "value": "ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content."}, {"lang": "es", "value": "ArcSearch para versiones de Android anteriores a la 1.12.7 podr\u00eda mostrar un dominio diferente en la barra de direcciones al contenido que se mostraba, permitiendo la suplantaci\u00f3n de la barra de direcciones despu\u00e9s de la interacci\u00f3n del usuario mediante contenido web manipulado."}], "lastModified": "2026-04-16T14:34:33.427", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:thebrowser:arc_search:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "4E59F856-9B31-43D7-9969-9281627E6DEC", "versionEndExcluding": "1.12.7"}], "operator": "OR"}]}], "sourceIdentifier": "59469e6c-7ea7-446f-8e43-06aa32c115e8"}