CVE-2026-12348 - Vulnerability Details - OpenCVE

Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
The Browsercompany Of New York	Arcsearch

No data.

No data.

References

Link	Providers
https://hackerone.com/reports/3705306

History

Fri, 26 Jun 2026 08:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		The Browsercompany Of New York The Browsercompany Of New York arcsearch
Vendors & Products		The Browsercompany Of New York The Browsercompany Of New York arcsearch

Thu, 18 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.
Title		Address Bar Spoofing in Arc Search for Android (window.open race condition)
Weaknesses		CWE-1021
References		https://hackerone.com/reports/3705306
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: BCNY

Published: 2026-06-16T19:54:06.194Z

Updated: 2026-06-17T15:03:25.893Z

Reserved: 2026-06-15T20:22:24.728Z

Link: CVE-2026-12348

Vulnrichment

Updated: 2026-06-17T15:03:22.585Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12348", "assignerOrgId": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "state": "PUBLISHED", "assignerShortName": "BCNY", "dateReserved": "2026-06-15T20:22:24.728Z", "datePublished": "2026-06-16T19:54:06.194Z", "dateUpdated": "2026-06-17T15:03:25.893Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "shortName": "BCNY", "dateUpdated": "2026-06-16T19:54:06.194Z"}, "title": "Address Bar Spoofing in Arc Search for Android (window.open race condition)", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1021", "description": "CWE-1021 Improper restriction of rendered UI layers or frames", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Address bar spoofing"}]}], "affected": [{"vendor": "The Browser Company of New York`", "product": "Arc Search", "platforms": ["Android"], "versions": [{"status": "unaffected", "version": "0", "lessThanOrEqual": "1.12.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.<br>"}]}], "references": [{"url": "https://hackerone.com/reports/3705306"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-17T15:03:19.951325Z", "id": "CVE-2026-12348", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T15:03:25.893Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12348", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-17T15:03:19.951325Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T15:03:22.585Z"}}], "cna": {"title": "Address Bar Spoofing in Arc Search for Android (window.open race condition)", "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Address bar spoofing"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "The Browser Company of New York`", "product": "Arc Search", "versions": [{"status": "unaffected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.12.8"}], "platforms": ["Android"], "defaultStatus": "unaffected"}], "references": [{"url": "https://hackerone.com/reports/3705306"}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.", "supportingMedia": [{"type": "text/html", "value": "Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1021", "description": "CWE-1021 Improper restriction of rendered UI layers or frames"}]}], "providerMetadata": {"orgId": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "shortName": "BCNY", "dateUpdated": "2026-06-16T19:54:06.194Z"}}}, "cveMetadata": {"cveId": "CVE-2026-12348", "state": "PUBLISHED", "dateUpdated": "2026-06-17T15:03:25.893Z", "dateReserved": "2026-06-15T20:22:24.728Z", "assignerOrgId": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "datePublished": "2026-06-16T19:54:06.194Z", "assignerShortName": "BCNY"}, "dataVersion": "5.2"}