CVE-2026-33545

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1
https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6
https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 21:17

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33545

Mitre link : CVE-2026-33545

CVE.ORG link : CVE-2026-33545

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-33545", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.6}]}, "published": "2026-03-26T21:17:06.047", "references": [{"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1", "source": "security-advisories@github.com"}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6", "source": "security-advisories@github.com"}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue."}, {"lang": "es", "value": "MobSF es una herramienta utilizada para pruebas de seguridad de aplicaciones m\u00f3viles. Antes de la versi\u00f3n 4.4.6, la funci\u00f3n `read_sqlite()` de MobSF en `mobsf/MobSF/utils.py` (l\u00edneas 542-566) utiliza el formato de cadena de Python ('%') para construir consultas SQL con nombres de tabla le\u00eddos de la tabla `sqlite_master` de una base de datos SQLite. Cuando un analista de seguridad utiliza MobSF para analizar una aplicaci\u00f3n m\u00f3vil maliciosa que contiene una base de datos SQLite manipulada, los nombres de tabla controlados por el atacante se interpolan directamente en las consultas SQL sin parametrizaci\u00f3n ni escape. Esto permite a un atacante causar denegaci\u00f3n de servicio y lograr inyecci\u00f3n SQL. La versi\u00f3n 4.4.6 corrige el problema."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "security-advisories@github.com"}