CVE-2026-33545

low-risk

Published 2026-03-26

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Mobile Security Framework

Affected Vendors

Opensecurity

References (3)

Patch https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cf...

Release Notes https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6

Exploit https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHS...

/ 100

low-risk

Severity 17/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal