CVE-2026-28576

MEDIUM

Android - SQL Injection

Title source: rule
STIX 2.1

Description

In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

References (1)

Core 1
Core References

Scores

CVSS v3 5.5
EPSS 0.0015
EPSS Percentile 4.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
Android/Android 17
google/android 17.0
Published Jun 17, 2026
Tracked Since Jun 17, 2026