{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33545", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.832Z", "datePublished": "2026-03-26T20:32:21.357Z", "dateUpdated": "2026-03-27T20:20:44.755Z"}, "containers": {"cna": {"title": "MobSF has SQL Injection in its SQLite Database Viewer Utils", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58"}, {"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1", "tags": ["x_refsource_MISC"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1"}, {"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6"}], "affected": [{"vendor": "MobSF", "product": "Mobile-Security-Framework-MobSF", "versions": [{"version": "< 4.4.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:32:21.357Z"}, "descriptions": [{"lang": "en", "value": "MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue."}], "source": {"advisory": "GHSA-hqjr-43r5-9q58", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:20:33.661833Z", "id": "CVE-2026-33545", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:20:44.755Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33545", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T20:20:33.661833Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:20:40.317Z"}}], "cna": {"title": "MobSF has SQL Injection in its SQLite Database Viewer Utils", "source": {"advisory": "GHSA-hqjr-43r5-9q58", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "MobSF", "product": "Mobile-Security-Framework-MobSF", "versions": [{"status": "affected", "version": "< 4.4.6"}]}], "references": [{"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58", "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1", "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6", "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:32:21.357Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33545", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:20:44.755Z", "dateReserved": "2026-03-20T18:05:11.832Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:32:21.357Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue."}], "id": "CVE-2026-33545", "lastModified": "2026-03-26T21:17:06.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T21:17:06.047", "references": [{"source": "[email protected]", "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1"}, {"source": "[email protected]", "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6"}, {"source": "[email protected]", "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.4.6)"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "Mobile-Security-Framework-MobSF", "source": "cna", "vendor": "MobSF"}, "product": "mobile_security_framework", "vendor": "mobsf"}], "analysis": {"en": {"generated_at": "2026-03-26T22:25:58.106145+00:00", "value": {"mitigation_remediation": ["Upgrade MobSF to version 4.4.6 or newer, which removes the insecure string formatting.", "Until the upgrade can be applied, avoid analyzing applications that contain unknown or potentially malicious SQLite databases."], "summary": {"action": "Apply Patch", "impact": "Denial of Service and SQL Injection"}, "threat_synthesis": {"affected_systems": "The issue affects the MobSF Mobile\u2011Security\u2011Framework\u2011MobSF tool, specifically versions before 4.4.6. Users running any version lower than 4.4.6 are vulnerable when they analyze mobile applications that contain a crafted SQLite database.", "description_and_impact": "MobSF contains a vulnerability in its SQLite Database Viewer Utils. The read_sqlite() function constructs SQL queries using Python string formatting, incorporating attacker\u2011controlled table names from a database\u2019s sqlite_master table. This flaw enables an attacker to inject malicious SQL, potentially causing denial of service and compromising the integrity of the analysis process.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.3, indicating medium severity. Exploitation requires a crafted Android or iOS application with a malicious SQLite database to be analyzed by the vulnerable MobSF instance; it does not provide an arbitrary remote code execution vector. While the probability of widespread exploitation is limited, an analyst can trigger a denial of service or inject unwanted SQL statements if such a payload is processed. The vulnerability is not listed in CISA\u2019s KEV catalog and EPSS data is unavailable."}}}}, "created": "2026-03-27T08:32:03.413768+00:00", "updated": "2026-03-27T09:23:31.323438+00:00", "vendors": ["mobsf", "mobsf$PRODUCT$mobile_security_framework"]}