CVE-2026-33545: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in MobSF Mobile-Security-Framework-MobSF
CVE-2026-33545 is a medium severity SQL injection vulnerability in MobSF Mobile-Security-Framework versions prior to 4. 4. 6. The vulnerability exists in the read_sqlite() function, which uses unsafe Python string formatting to construct SQL queries with attacker-controlled table names from a SQLite database. This improper neutralization of special elements can lead to denial of service and SQL injection when analyzing malicious mobile applications with crafted SQLite databases. The issue is patched in version 4. 4. 6.
AI Analysis
Technical Summary
MobSF Mobile-Security-Framework versions before 4.4.6 contain a SQL injection vulnerability (CWE-89) in the read_sqlite() function located in mobsf/MobSF/utils.py. This function constructs SQL queries by directly interpolating table names obtained from the SQLite sqlite_master table using Python's % string formatting without parameterization or escaping. An attacker can exploit this by providing a malicious SQLite database with crafted table names, leading to SQL injection and denial of service. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity) and was publicly disclosed on 2026-03-26. The issue is fixed in MobSF version 4.4.6.
Potential Impact
Successful exploitation allows an attacker to cause denial of service and execute SQL injection attacks within the context of MobSF's database querying functionality when analyzing malicious mobile applications. There is no impact on confidentiality or integrity reported, but availability is affected. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade MobSF to version 4.4.6 or later, where this vulnerability is patched. Users running affected versions prior to 4.4.6 should apply the official update to remediate the issue. No other mitigation or temporary fix is documented.
CVE-2026-33545: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in MobSF Mobile-Security-Framework-MobSF
Description
CVE-2026-33545 is a medium severity SQL injection vulnerability in MobSF Mobile-Security-Framework versions prior to 4. 4. 6. The vulnerability exists in the read_sqlite() function, which uses unsafe Python string formatting to construct SQL queries with attacker-controlled table names from a SQLite database. This improper neutralization of special elements can lead to denial of service and SQL injection when analyzing malicious mobile applications with crafted SQLite databases. The issue is patched in version 4. 4. 6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
MobSF Mobile-Security-Framework versions before 4.4.6 contain a SQL injection vulnerability (CWE-89) in the read_sqlite() function located in mobsf/MobSF/utils.py. This function constructs SQL queries by directly interpolating table names obtained from the SQLite sqlite_master table using Python's % string formatting without parameterization or escaping. An attacker can exploit this by providing a malicious SQLite database with crafted table names, leading to SQL injection and denial of service. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity) and was publicly disclosed on 2026-03-26. The issue is fixed in MobSF version 4.4.6.
Potential Impact
Successful exploitation allows an attacker to cause denial of service and execute SQL injection attacks within the context of MobSF's database querying functionality when analyzing malicious mobile applications. There is no impact on confidentiality or integrity reported, but availability is affected. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade MobSF to version 4.4.6 or later, where this vulnerability is patched. Users running affected versions prior to 4.4.6 should apply the official update to remediate the issue. No other mitigation or temporary fix is documented.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T18:05:11.832Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c59e483c064ed76fcd5495
Added to database: 3/26/2026, 8:59:52 PM
Last enriched: 4/3/2026, 1:29:12 PM
Last updated: 5/11/2026, 5:35:23 AM
Views: 65
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.