HIGHCVE-2026-2378Published 2026-03-20Modified 2026-03-23CNA BCNY

CVE-2026-2378: Address bar spoofing risk in ArcSearch on Android

ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: 1.12.7
Affected Products: 1

Fix available

1.12.7

Affected packages

The BrowserCompany of New York / ArcSearch
< 1.12.7 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

References

arc.net

Metrics

Fix available