The vulnerability CVE-2026-33545 affects the Mobile-Security-Framework-MobSF, a widely used tool for mobile application security testing. Prior to version 4.4.6, the read_sqlite() function in mobsf/MobSF/utils.py constructs SQL queries by directly interpolating table names obtained from the SQLite database's sqlite_master table using Python's '%' string formatting. This approach fails to properly sanitize or parameterize the table names, which can be attacker-controlled if the analyzed mobile application contains a maliciously crafted SQLite database. When MobSF processes such a database, the unsanitized table names are embedded directly into SQL commands, enabling SQL injection. This injection can be leveraged to cause denial of service by disrupting query execution or crashing the tool. The vulnerability does not allow unauthorized data access or modification (no confidentiality or integrity impact) but affects availability of the MobSF tool during analysis. Exploitation requires the security analyst to load a malicious app containing the crafted database, thus involving user interaction and a relatively high attack complexity. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), reflecting network attack vector, high attack complexity, no privileges required, user interaction needed, unchanged scope, and impact limited to availability. The issue is fixed in MobSF version 4.4.6 by properly sanitizing or parameterizing the SQL queries to prevent injection.

The primary impact of this vulnerability is denial of service against the MobSF tool during mobile application security assessments. Organizations relying on MobSF versions prior to 4.4.6 may experience tool crashes or failures when analyzing maliciously crafted mobile applications containing SQLite databases with malicious table names. This can disrupt security testing workflows, delay vulnerability assessments, and reduce confidence in analysis results. Since MobSF is a popular open-source framework used globally by security teams, penetration testers, and researchers, widespread use of vulnerable versions could lead to operational disruptions. However, the vulnerability does not expose sensitive data or allow attackers to alter analysis results, limiting the impact to availability. There are no known exploits in the wild, reducing immediate risk, but targeted attackers could leverage this to hinder security evaluations or evade detection by causing tool failures.

To mitigate this vulnerability, organizations should upgrade MobSF to version 4.4.6 or later, where the SQL injection flaw is patched. Until upgrading, security analysts should avoid analyzing untrusted or suspicious mobile applications that may contain malicious SQLite databases with crafted table names. Implementing input validation or sanitization on the SQLite metadata before processing can reduce risk. Additionally, running MobSF in isolated environments or sandboxes can limit the impact of denial of service. Security teams should monitor MobSF usage logs for unexpected crashes or errors indicative of attempted exploitation. Incorporating static analysis or manual inspection of mobile app databases prior to full analysis may help identify suspicious constructs. Finally, educating analysts about this vulnerability and encouraging cautious handling of unknown apps will reduce exploitation likelihood.