Description
MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service and SQL Injection
Action: Apply Patch
AI Analysis

Impact

MobSF contains a vulnerability in its SQLite Database Viewer Utils. The read_sqlite() function constructs SQL queries using Python string formatting, incorporating attacker‑controlled table names from a database’s sqlite_master table. This flaw enables an attacker to inject malicious SQL, potentially causing denial of service and compromising the integrity of the analysis process.

Affected Systems

The issue affects the MobSF Mobile‑Security‑Framework‑MobSF tool, specifically versions before 4.4.6. Users running any version lower than 4.4.6 are vulnerable when they analyze mobile applications that contain a crafted SQLite database.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating medium severity. Exploitation requires a crafted Android or iOS application with a malicious SQLite database to be analyzed by the vulnerable MobSF instance; it does not provide an arbitrary remote code execution vector. While the probability of widespread exploitation is limited, an analyst can trigger a denial of service or inject unwanted SQL statements if such a payload is processed. The vulnerability is not listed in CISA’s KEV catalog and EPSS data is unavailable.

Generated by OpenCVE AI on March 26, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MobSF to version 4.4.6 or newer, which removes the insecure string formatting.
  • Until the upgrade can be applied, avoid analyzing applications that contain unknown or potentially malicious SQLite databases.

Generated by OpenCVE AI on March 26, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hqjr-43r5-9q58 MobSF has SQL Injection in its SQLite Database Viewer Utils
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Mobsf
Mobsf mobile Security Framework
Vendors & Products Mobsf
Mobsf mobile Security Framework

Thu, 26 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.
Title MobSF has SQL Injection in its SQLite Database Viewer Utils
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Mobsf Mobile Security Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T20:32:21.357Z

Reserved: 2026-03-20T18:05:11.832Z

Link: CVE-2026-33545

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:06.047

Modified: 2026-03-26T21:17:06.047

Link: CVE-2026-33545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:31Z

Weaknesses