Description
MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection and Denial of Service
Action: Patch
AI Analysis

Impact

MobSF’s read_sqlite() function builds SQL queries using Python string formatting, incorporating table names directly from a SQLite database’s schema. A malicious database crafted by an attacker can introduce table names that, when interpolated into the query, trigger arbitrary SQL statements or corrupt execution flow. The vulnerability can lead to a denial of service and may expose internal database contents, matching CWE‑89.

Affected Systems

Mobile Security Framework (MobSF) versions prior to 4.4.6 are affected. Analysts running these versions with a crafted SQLite database can be exposed. Version 4.4.6 and later contain the fix, removing the unsafe string construction.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. EPSS below 1 % reflects a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to supply a malicious database to the MobSF analysis environment, so the attack vector is local and depends on the analyst’s trust of inputs. Patching to 4.4.6 eliminates the risk.

Generated by OpenCVE AI on April 3, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MobSF to version 4.4.6 or later, which removes the unsafe query construction.

Generated by OpenCVE AI on April 3, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hqjr-43r5-9q58 MobSF has SQL Injection in its SQLite Database Viewer Utils
History

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Opensecurity
Opensecurity mobile Security Framework
CPEs cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*
Vendors & Products Opensecurity
Opensecurity mobile Security Framework

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Mobsf
Mobsf mobile Security Framework
Vendors & Products Mobsf
Mobsf mobile Security Framework

Thu, 26 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.
Title MobSF has SQL Injection in its SQLite Database Viewer Utils
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Mobsf Mobile Security Framework
Opensecurity Mobile Security Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T20:20:44.755Z

Reserved: 2026-03-20T18:05:11.832Z

Link: CVE-2026-33545

cve-icon Vulnrichment

Updated: 2026-03-27T20:20:40.317Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:06.047

Modified: 2026-04-03T20:28:05.560

Link: CVE-2026-33545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:55Z

Weaknesses