CVE-2026-33545
MEDIUMMobSF has SQL Injection in its SQLite Database Viewer Utils
Title source: cnaDescription
MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58
X_Refsource_Misc x_refsource_misc
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1
X_Refsource_Misc x_refsource_misc
https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6
Scores
CVSS v3
5.3
EPSS
0.0028
EPSS Percentile
19.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (3)
MobSF/Mobile-Security-Framework-MobSF
< 4.4.6
opensecurity/mobile_security_framework
< 4.4.6
pypi/mobsf
0 - 4.4.6PyPI
Published
Mar 26, 2026
Tracked Since
Mar 27, 2026