CVE-2026-33545

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33545
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33545.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33545
Aliases
Published
2026-03-26T20:32:21.357Z
Modified
2026-04-10T05:42:53.138579Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
MobSF has SQL Injection in its SQLite Database Viewer Utils
Details

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's read_sqlite() function in mobsf/MobSF/utils.py (lines 542-566) uses Python string formatting (%) to construct SQL queries with table names read from a SQLite database's sqlite_master table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33545.json"
}
References

Affected packages

Git / github.com/mobsf/mobile-security-framework-mobsf

Affected ranges

Type
GIT
Repo
https://github.com/mobsf/mobile-security-framework-mobsf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.4.6"
        }
    ]
}

Affected versions

0.*
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.8.1
0.8.8.2
0.9
0.9.1
v0.*
v0.9.2
v0.9.3
v0.9.3.1
v0.9.3.2
v0.9.3.3
v0.9.3.5
v0.9.3.6
v0.9.3.7
v0.9.4
v0.9.4.1
v0.9.4.2
v0.9.5
v0.9.5.2
v0.9.5.4
v0.9.5.5
v1.*
v1.0.3Beta
v1.1.5
v1.1.6
v2.*
v2.0.0
v3.*
v3.0.0
v3.0.1
v3.0.5
v3.1.1
v3.2.6
v3.2.8
v3.2.9
v3.3.3
v3.3.5
v3.4.0
v3.4.3
v3.4.6
v3.5.0
v3.6.0
v3.6.9
v3.7.6
v3.9.7
v4.*
v4.0.7
v4.1.3
v4.3.0
v4.3.2
v4.4.1
v4.4.2
v4.4.5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33545.json"