{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-28576: In Contacts Provider, there is a possible way to access the contacts database due to SQL injection","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-28576","status":"final","version":"1","initial_release_date":"2026-06-17T07:19:47.943Z","current_release_date":"2026-06-17T10:41:28.684Z","revision_history":[{"date":"2026-06-17T07:19:47.943Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-28576 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-28576"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-28576"},{"category":"external","summary":"source.android.com","url":"https://source.android.com/docs/security/bulletin/android-17"}]},"product_tree":{"branches":[{"category":"vendor","name":"Android","branches":[{"category":"product_name","name":"Android","branches":[{"category":"product_version","name":"17","product":{"name":"Android Android 17","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:android:android:17:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-28576","title":"In Contacts Provider, there is a possible way to access the contacts database due to SQL injection","notes":[{"category":"description","text":"In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","baseScore":10,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}