CVE-2026-12348 is an address bar spoofing vulnerability in Arc Search for Android (CVSS 7.4) that allows a remote attacker to display a legitimate-looking domain in the browser while serving attacker-controlled content, creating a high-fidelity phishing surface on managed Android devices. No active exploitation is confirmed; the EPSS score of 0.00372 at the 28.8th percentile reflects low current exploitation probability. Specific affected and patched version numbers were not confirmed in the available source data.