CVE-2026-2378

<!-- Proof of Concept: Address Bar Spoofing Simulation --> <!-- This code simulates a phishing page that might exploit the UI inconsistency --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Secure Login</title> <style> body { font-family: Arial, sans-serif; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100vh; background-color: #f0f2f5; } .container { background: white; padding: 40px; border-radius: 8px; box-shadow: 0 4px 12px rgba(0,0,0,0.1); text-align: center; } input { width: 80%; padding: 10px; margin: 10px 0; border: 1px solid #ccc; border-radius: 4px; } button { width: 85%; padding: 10px; background-color: #007bff; color: white; border: none; border-radius: 4px; cursor: pointer; } </style> </head> <body> <div class="container"> <h2>Account Verification</h2> <p>Please enter your credentials to continue.</p> <!-- In a real exploit, the address bar would show 'trusted-site.com' --> <input type="text" placeholder="Username / Email"> <input type="password" placeholder="Password"> <button onclick="exploit()">Login</button> </div> <script> function exploit() { // Simulation of data exfiltration console.log('Spoofing successful: User interaction captured.'); alert('This is a simulation. In a real attack, your data would be sent to the attacker.'); } </script> </body> </html>

{"cve": {"id": "CVE-2026-2378", "sourceIdentifier": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "published": "2026-03-20T22:16:27.497", "lastModified": "2026-04-16T14:34:33.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content."}, {"lang": "es", "value": "ArcSearch para versiones de Android anteriores a la 1.12.7 podría mostrar un dominio diferente en la barra de direcciones al contenido que se mostraba, permitiendo la suplantación de la barra de direcciones después de la interacción del usuario mediante contenido web manipulado."}], "metrics": {"cvssMetricV31": [{"source": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1021"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:thebrowser:arc_search:*:*:*:*:*:android:*:*", "versionEndExcluding": "1.12.7", "matchCriteriaId": "4E59F856-9B31-43D7-9969-9281627E6DEC"}]}]}], "references": [{"url": "https://arc.net/security/bulletins", "source": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "tags": ["Vendor Advisory"]}]}}