Cyber Resilience

CVE-2026-2378

High

Published: 20 March 2026

Published
20 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
EPSS Score 0.0004 12.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2378 is a high-severity Improper Restriction of Rendered UI Layers or Frames (CWE-1021) vulnerability in Thebrowser Arc Search. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-11 (Trusted Path) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2378 is an address bar spoofing vulnerability in ArcSearch for Android versions prior to 1.12.7. The issue enables the application to display a different domain in the address bar than the actual content being rendered, triggered after user interaction with crafted web content. It is classified under CWE-1021 and carries a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). The vulnerability was published on 2026-03-20.

Remote attackers require no privileges and can exploit this over the network with low attack complexity, though user interaction is necessary. Upon successful exploitation, the scope changes, leading to high integrity impact with no confidentiality or availability effects. Attackers can spoof the address bar domain, potentially tricking users into interacting with malicious content under the guise of a trusted site.

Mitigation details are available in the security bulletin at https://arc.net/security/bulletins.

EU & UK References

Vulnerability details

ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

Address bar spoofing after interaction with crafted web content directly enables deceptive phishing links and subsequent user execution of malicious content.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15032Shared CWE-1021
CVE-2025-1940Shared CWE-1021
CVE-2026-0007Shared CWE-1021
CVE-2024-56435Shared CWE-1021
CVE-2025-1018Shared CWE-1021
CVE-2026-28577Shared CWE-1021
CVE-2026-0036Shared CWE-1021
CVE-2024-56436Shared CWE-1021
CVE-2026-22918Shared CWE-1021

Affected Assets

thebrowser
arc search
≤ 1.12.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly mitigates the CVE by identifying, reporting, and correcting the specific flaw in ArcSearch that enables address bar domain spoofing.

prevent

Establishes and protects the integrity of the trusted path for the address bar, preventing display of mismatched domains versus rendered content.

prevent

Validates crafted web content inputs to the browser component, reducing the risk of exploitation leading to address bar spoofing.

References