CVE-2026-2378

High

Published: 20 March 2026

Published

20 March 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

EPSS Score 0.0003 10.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2378 is a high-severity Improper Restriction of Rendered UI Layers or Frames (CWE-1021) vulnerability in Thebrowser Arc Search. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-11 (Trusted Path) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Spearphishing Link (T1566.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly mitigates the CVE by identifying, reporting, and correcting the specific flaw in ArcSearch that enables address bar domain spoofing.

SC-11 Trusted Path good match

prevent

Establishes and protects the integrity of the trusted path for the address bar, preventing display of mismatched domains versus rendered content.

SI-10 Information Input Validation partial match

prevent

Validates crafted web content inputs to the browser component, reducing the risk of exploitation leading to address bar spoofing.

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

Why these techniques?

Address bar spoofing after interaction with crafted web content directly enables deceptive phishing links and subsequent user execution of malicious content.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

Deeper analysisAI

CVE-2026-2378 is an address bar spoofing vulnerability in ArcSearch for Android versions prior to 1.12.7. The issue enables the application to display a different domain in the address bar than the actual content being rendered, triggered after user interaction with crafted web content. It is classified under CWE-1021 and carries a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). The vulnerability was published on 2026-03-20.

Remote attackers require no privileges and can exploit this over the network with low attack complexity, though user interaction is necessary. Upon successful exploitation, the scope changes, leading to high integrity impact with no confidentiality or availability effects. Attackers can spoof the address bar domain, potentially tricking users into interacting with malicious content under the guise of a trusted site.

Mitigation details are available in the security bulletin at https://arc.net/security/bulletins.

Details

CWE(s): CWE-1021

Affected Products

thebrowser

arc search

≤ 1.12.7

CVEs Like This One

CVE-2025-15032Shared CWE-1021

CVE-2024-56436Shared CWE-1021

CVE-2026-0007Shared CWE-1021

CVE-2025-1940Shared CWE-1021

CVE-2026-22918Shared CWE-1021

CVE-2025-1018Shared CWE-1021

CVE-2024-56435Shared CWE-1021

References

https://arc.net/security/bulletins
Vendor Advisory · 59469e6c-7ea7-446f-8e43-06aa32c115e8