CVE-2026-12348 The Browser Company of New York` CVE debrief

Who should care

Users of Arc Search for Android, security teams, and IT administrators should be aware of this vulnerability and take necessary precautions to prevent phishing attacks.

Technical summary

CVE-2026-12348 is an address bar spoofing vulnerability in Arc Search for Android that allows remote attackers to display a trusted domain in the address bar while rendering attacker-controlled content. This enables phishing attacks, which can lead to sensitive information disclosure. The vulnerability has a CVSS score of 7.4 and is considered high severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N.

Defensive priority

High

Recommended defensive actions

• Update Arc Search for Android to the latest version
• Be cautious when clicking on links from untrusted sources
• Verify the authenticity of websites before entering sensitive information
• Use a reputable security software to detect and prevent phishing attacks
• Educate users on how to identify phishing attempts
• Monitor for suspicious activity and implement incident response plans

Evidence notes

The CVE record and NVD detail provide information on this vulnerability. The CVE was published on June 17, 2026, and has a CVSS score of 7.4. The vulnerability is considered high severity.

Official resources