CVE-2026-8074 Improper Permission Check Allows User Manager to Deactivate Bot Accounts

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/id/active API...

CVE-2026-56295 Capgo - Policy Enforcement Bypass in Webhook Management Endpoints via Non-Expiring API Keys

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the requireapikeyexpiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with...

CVE-2026-42489

This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE. To create and manage guests, domctl operations are used by the control domain, a possible Xenstore domain, or by a domain controlling a particular guest. Some of these...

CVE-2026-28573

In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation...

EUVD-2026-37857

In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-28573

CVE-2026-28573 affects Android Wear OS via a Framework component vulnerability described as a local denial of service in AndroidManifest.xml due to a missing permission check. The CVE is characterized as high severity with a CVSSv4 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:I:H/CI:H/AI:H; impacts ...

PT-2026-50641

Name of the Vulnerable Software and Affected Versions Google Android affected versions not specified Description A missing permission check in the AndroidManifest.xml file allows for a persistent local denial of service. This issue can be triggered without requiring user interaction or additional...

EUVD-2026-37555

In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0071

In SettingsLib, there is a possible missing permission check due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0081

In NFC, there is a possible way to spoof an NFC event due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0092

In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0057

In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2025-48640

In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote proximal/adjacent escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-28587

CVE-2026-28587 affects the MmsSmsProvider component (MmsSmsProvider.java), enabling local information disclosure via a missing permission check. Exploitation requires no user interaction and does not require additional privileges; impact is confined to information disclosure. The vulnerability is...

CVE-2026-28587

In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0081

In NFC, there is a possible way to spoof an NFC event due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0081

CVE-2026-0081 concerns the Android NFC stack. The connected documents indicate a missing permission check in NFC that could allow spoofing an NFC event, enabling local escalation of privilege without any additional execution privileges and without user interaction. The exploitation details are no...

CVE-2026-0071

In SettingsLib, there is a possible missing permission check due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0071

Summary: CVE-2026-0071 affects SettingsLib where a logic error may skip a permission check, enabling local escalation of privilege with no additional privileges or user interaction required. The vulnerability is described across NVD, ENISA EUVD, CVE records, and PT/security bulletins, all citing ...

CVE-2026-0092

In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...