Vulnerability-Lookup

CVE-2026-33545 (GCVE-0-2026-33545)

Vulnerability from cvelistv5 – Published: 2026-03-26 20:32 – Updated: 2026-03-27 20:20

Title

MobSF has SQL Injection in its SQLite Database Viewer Utils

Summary

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/MobSF/Mobile-Security-Framewor…	x_refsource_CONFIRM
	https://github.com/MobSF/Mobile-Security-Framewor…	x_refsource_MISC
	https://github.com/MobSF/Mobile-Security-Framewor…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	MobSF	Mobile-Security-Framework-MobSF	Affected: < 4.4.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33545",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T20:20:33.661833Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T20:20:44.755Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Mobile-Security-Framework-MobSF",
          "vendor": "MobSF",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.4.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF\u0027s `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database\u0027s `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T20:32:21.357Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58"
        },
        {
          "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1"
        },
        {
          "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6"
        }
      ],
      "source": {
        "advisory": "GHSA-hqjr-43r5-9q58",
        "discovery": "UNKNOWN"
      },
      "title": "MobSF has SQL Injection in its SQLite Database Viewer Utils"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33545",
    "datePublished": "2026-03-26T20:32:21.357Z",
    "dateReserved": "2026-03-20T18:05:11.832Z",
    "dateUpdated": "2026-03-27T20:20:44.755Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33545\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T21:17:06.047\",\"lastModified\":\"2026-04-03T20:28:05.560\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF\u0027s `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database\u0027s `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.\"},{\"lang\":\"es\",\"value\":\"MobSF es una herramienta utilizada para pruebas de seguridad de aplicaciones m\u00f3viles. Antes de la versi\u00f3n 4.4.6, la funci\u00f3n `read_sqlite()` de MobSF en `mobsf/MobSF/utils.py` (l\u00edneas 542-566) utiliza el formato de cadena de Python (\u0027%\u0027) para construir consultas SQL con nombres de tabla le\u00eddos de la tabla `sqlite_master` de una base de datos SQLite. Cuando un analista de seguridad utiliza MobSF para analizar una aplicaci\u00f3n m\u00f3vil maliciosa que contiene una base de datos SQLite manipulada, los nombres de tabla controlados por el atacante se interpolan directamente en las consultas SQL sin parametrizaci\u00f3n ni escape. Esto permite a un atacante causar denegaci\u00f3n de servicio y lograr inyecci\u00f3n SQL. La versi\u00f3n 4.4.6 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.4.6\",\"matchCriteriaId\":\"5848A16B-0512-4FBE-8D64-7D14DDCA8625\"}]}]}],\"references\":[{\"url\":\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33545\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T20:20:33.661833Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T20:20:40.317Z\"}}], \"cna\": {\"title\": \"MobSF has SQL Injection in its SQLite Database Viewer Utils\", \"source\": {\"advisory\": \"GHSA-hqjr-43r5-9q58\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"MobSF\", \"product\": \"Mobile-Security-Framework-MobSF\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.4.6\"}]}], \"references\": [{\"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58\", \"name\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1\", \"name\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6\", \"name\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF\u0027s `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database\u0027s `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T20:32:21.357Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33545\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T20:20:44.755Z\", \"dateReserved\": \"2026-03-20T18:05:11.832Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T20:32:21.357Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33545

Vulnerability from fkie_nvd - Published: 2026-03-26 21:17 - Updated: 2026-04-03 20:28

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1	Patch
security-advisories@github.com	https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6	Release Notes
security-advisories@github.com	https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	opensecurity	mobile_security_framework	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5848A16B-0512-4FBE-8D64-7D14DDCA8625",
              "versionEndExcluding": "4.4.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF\u0027s `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database\u0027s `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue."
    },
    {
      "lang": "es",
      "value": "MobSF es una herramienta utilizada para pruebas de seguridad de aplicaciones m\u00f3viles. Antes de la versi\u00f3n 4.4.6, la funci\u00f3n `read_sqlite()` de MobSF en `mobsf/MobSF/utils.py` (l\u00edneas 542-566) utiliza el formato de cadena de Python (\u0027%\u0027) para construir consultas SQL con nombres de tabla le\u00eddos de la tabla `sqlite_master` de una base de datos SQLite. Cuando un analista de seguridad utiliza MobSF para analizar una aplicaci\u00f3n m\u00f3vil maliciosa que contiene una base de datos SQLite manipulada, los nombres de tabla controlados por el atacante se interpolan directamente en las consultas SQL sin parametrizaci\u00f3n ni escape. Esto permite a un atacante causar denegaci\u00f3n de servicio y lograr inyecci\u00f3n SQL. La versi\u00f3n 4.4.6 corrige el problema."
    }
  ],
  "id": "CVE-2026-33545",
  "lastModified": "2026-04-03T20:28:05.560",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-26T21:17:06.047",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-HQJR-43R5-9Q58

Vulnerability from github – Published: 2026-03-24 19:23 – Updated: 2026-03-27 21:17

Summary

MobSF has SQL Injection in its SQLite Database Viewer Utils

Details

Description

MobSF's read_sqlite() function in mobsf/MobSF/utils.py (lines 542-566) uses Python string formatting (%) to construct SQL queries with table names read from a SQLite database's sqlite_master table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping.

This allows an attacker to:

Cause Denial of Service -- A malicious table name causes the database viewer to crash, preventing the analyst from viewing ANY data in the SQLite database. A malicious app can use this to hide sensitive data (C2 server URLs, stolen credentials, API keys) from MobSF's analysis.
Achieve SQL Injection -- The SELECT * FROM query on line 557 is provably injectable via UNION SELECT, allowing attacker-controlled data to be returned in query results. The current code structure (a PRAGMA statement that runs first on line 553) limits the full exploitation chain, but the underlying code is verifiably injectable.

Root Cause

The vulnerable code in mobsf/MobSF/utils.py:542-566:

def read_sqlite(sqlite_file):
    """Sqlite Dump - Readable Text."""
    table_dict = {}
    try:
        con = sqlite3.connect(sqlite_file)
        cur = con.cursor()
        cur.execute('SELECT name FROM sqlite_master WHERE type=\'table\';')
        tables = cur.fetchall()
        for table in tables:
            table_dict[table[0]] = {'head': [], 'data': []}
            cur.execute('PRAGMA table_info(\'%s\')' % table)    # <-- INJECTION POINT 1
            rows = cur.fetchall()
            for sq_row in rows:
                table_dict[table[0]]['head'].append(sq_row[1])
            cur.execute('SELECT * FROM \'%s\'' % table)         # <-- INJECTION POINT 2
            rows = cur.fetchall()
            for sq_row in rows:
                tmp_row = []
                for each_row in sq_row:
                    tmp_row.append(str(each_row))
                table_dict[table[0]]['data'].append(tmp_row)
    except Exception:
        logger.exception('Reading SQLite db')
    return table_dict

Lines 553 and 557 use % string formatting to interpolate table (a tuple from sqlite_master) directly into SQL strings. The table value is attacker-controlled when the SQLite database originates from a malicious application being analyzed.

Attack Vector

The read_sqlite() function is called from two locations:

Dynamic Analysis File Viewer (mobsf/DynamicAnalyzer/views/common/device.py:64):
Triggered when an analyst clicks to view a .db file in device data
Applies to both Android and iOS dynamic analysis
iOS Static Analysis File Viewer (mobsf/StaticAnalyzer/views/ios/views/view_source.py:123):
Triggered when an analyst clicks to view a .db file during iOS static analysis

Attack Scenario

Attacker creates a malicious Android APK (or iOS IPA) containing a SQLite database with a crafted table name in the assets/ directory
The SQLite database contains a table created with: sql CREATE TABLE "x' UNION SELECT 'SQL_INJECTION_PROOF'--" (id INTEGER);
Security analyst uploads the application to MobSF for analysis
Analyst browses the extracted files and clicks to view the SQLite database
MobSF's read_sqlite() reads table names from sqlite_master, including the malicious name x' UNION SELECT 'SQL_INJECTION_PROOF'--
The table name is interpolated into SQL queries via string formatting:
PRAGMA table_info('x' UNION SELECT 'SQL_INJECTION_PROOF'--') -- causes syntax error (DoS)
SELECT * FROM 'x' UNION SELECT 'SQL_INJECTION_PROOF'--' -- SQL injection (UNION SELECT returns attacker data)

Impact

Denial of Service (Confirmed)

When the malicious table name is the first table in sqlite_master (i.e., created first in the database), the PRAGMA statement on line 553 raises a sqlite3.OperationalError, which is caught by the outer try/except. This causes read_sqlite() to return an empty or partial result, preventing the analyst from viewing any database content.

Security impact: A malicious app author can use this technique to hide incriminating data stored in SQLite databases from MobSF's analysis. This directly undermines MobSF's core purpose as a security analysis tool.

SQL Injection (Confirmed in Isolation)

The SELECT * FROM query on line 557 is demonstrably injectable. When the malicious table name x' UNION SELECT 'SQL_INJECTION_PROOF'-- is interpolated, the resulting query:

SELECT * FROM 'x' UNION SELECT 'SQL_INJECTION_PROOF'--'

Successfully executes and returns attacker-controlled data via UNION SELECT. The -- comments out the trailing single quote. This is verified by the PoC script.

Note: In the current code structure, the PRAGMA table_info() statement on line 553 runs before the SELECT * FROM on line 557. The PRAGMA fails with a syntax error for injected payloads, which triggers the exception handler before the SELECT can execute. This limits the full exploitation chain. However, the code flaw is real and any future refactoring that changes the execution order or removes the PRAGMA would immediately expose the full SQL injection.

Proof of Concept

Files Provided(Gdrive)

File	Description
`poc_sqlite_injection.py`	Standalone PoC demonstrating the vulnerability
`malicious.db`	Crafted SQLite database (generated by PoC)
`create_malicious_apk.sh`	Script to package the malicious DB into an APK
`malicious_sqli.apk`	Pre-built APK for testing against MobSF

https://drive.google.com/drive/folders/1mNGkFfNowkaZ5J018HFi4IQcnjKaWCym?usp=sharing

Running the PoC

# Run the standalone PoC (no MobSF required)
python3 poc_sqlite_injection.py

# Build the malicious APK (requires Android SDK)
./create_malicious_apk.sh

# Test against MobSF
# 1. Start MobSF
# 2. Upload malicious_sqli.apk
# 3. Browse extracted files -> click app_data.db
# 4. Observe: database viewer fails (DoS)

PoC Output (Abbreviated)

[STEP 2] Running MobSF's read_sqlite() against malicious database...
    [!] EXCEPTION CAUGHT: OperationalError: near "UNION": syntax error
    [!] DoS CONFIRMED: read_sqlite() crashed

[STEP 3] Demonstrating SELECT * FROM injection in isolation...
    Query: SELECT * FROM 'x' UNION SELECT 'SQL_INJECTION_PROOF'--'
    [+] Query executed successfully!
    [+] Results: [('SQL_INJECTION_PROOF',), ('normal_data',)]
    [+] SQL INJECTION CONFIRMED

[STEP 4] Complete DoS (malicious table created first):
    Tables with data: NONE
    [!] COMPLETE DoS CONFIRMED

Suggested Fix

Replace string formatting with properly quoted identifiers. SQLite uses double quotes for identifiers:

def read_sqlite(sqlite_file):
    """Sqlite Dump - Readable Text."""
    table_dict = {}
    try:
        con = sqlite3.connect(sqlite_file)
        cur = con.cursor()
        cur.execute('SELECT name FROM sqlite_master WHERE type=\'table\';')
        tables = cur.fetchall()
        for table in tables:
            table_name = table[0]
            # Properly escape table name as a double-quoted identifier
            safe_name = table_name.replace('"', '""')
            table_dict[table_name] = {'head': [], 'data': []}
            cur.execute(f'PRAGMA table_info("{safe_name}")')
            rows = cur.fetchall()
            for sq_row in rows:
                table_dict[table_name]['head'].append(sq_row[1])
            cur.execute(f'SELECT * FROM "{safe_name}"')
            rows = cur.fetchall()
            for sq_row in rows:
                tmp_row = []
                for each_row in sq_row:
                    tmp_row.append(str(each_row))
                table_dict[table_name]['data'].append(tmp_row)
    except Exception:
        logger.exception('Reading SQLite db')
    return table_dict

This escapes any double quotes within table names by doubling them (" → ""), which is the standard SQL mechanism for identifier quoting. This prevents breakout from the double-quoted identifier context.

Resources

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
Affected File: mobsf/MobSF/utils.py, lines 542-566

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.5"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "mobsf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33545"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T19:23:52Z",
    "nvd_published_at": "2026-03-26T21:17:06Z",
    "severity": "MODERATE"
  },
  "details": "## Description\n\nMobSF\u0027s `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database\u0027s `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping.\n\nThis allows an attacker to:\n\n1. **Cause Denial of Service** -- A malicious table name causes the database viewer to crash, preventing the analyst from viewing ANY data in the SQLite database. A malicious app can use this to hide sensitive data (C2 server URLs, stolen credentials, API keys) from MobSF\u0027s analysis.\n\n2. **Achieve SQL Injection** -- The `SELECT * FROM` query on line 557 is provably injectable via `UNION SELECT`, allowing attacker-controlled data to be returned in query results. The current code structure (a `PRAGMA` statement that runs first on line 553) limits the full exploitation chain, but the underlying code is verifiably injectable.\n\n## Root Cause\n\nThe vulnerable code in `mobsf/MobSF/utils.py:542-566`:\n\n```python\ndef read_sqlite(sqlite_file):\n    \"\"\"Sqlite Dump - Readable Text.\"\"\"\n    table_dict = {}\n    try:\n        con = sqlite3.connect(sqlite_file)\n        cur = con.cursor()\n        cur.execute(\u0027SELECT name FROM sqlite_master WHERE type=\\\u0027table\\\u0027;\u0027)\n        tables = cur.fetchall()\n        for table in tables:\n            table_dict[table[0]] = {\u0027head\u0027: [], \u0027data\u0027: []}\n            cur.execute(\u0027PRAGMA table_info(\\\u0027%s\\\u0027)\u0027 % table)    # \u003c-- INJECTION POINT 1\n            rows = cur.fetchall()\n            for sq_row in rows:\n                table_dict[table[0]][\u0027head\u0027].append(sq_row[1])\n            cur.execute(\u0027SELECT * FROM \\\u0027%s\\\u0027\u0027 % table)         # \u003c-- INJECTION POINT 2\n            rows = cur.fetchall()\n            for sq_row in rows:\n                tmp_row = []\n                for each_row in sq_row:\n                    tmp_row.append(str(each_row))\n                table_dict[table[0]][\u0027data\u0027].append(tmp_row)\n    except Exception:\n        logger.exception(\u0027Reading SQLite db\u0027)\n    return table_dict\n```\n\n**Lines 553 and 557** use `%` string formatting to interpolate `table` (a tuple from `sqlite_master`) directly into SQL strings. The `table` value is attacker-controlled when the SQLite database originates from a malicious application being analyzed.\n\n## Attack Vector\n\nThe `read_sqlite()` function is called from two locations:\n\n1. **Dynamic Analysis File Viewer** (`mobsf/DynamicAnalyzer/views/common/device.py:64`):\n   - Triggered when an analyst clicks to view a `.db` file in device data\n   - Applies to both Android and iOS dynamic analysis\n\n2. **iOS Static Analysis File Viewer** (`mobsf/StaticAnalyzer/views/ios/views/view_source.py:123`):\n   - Triggered when an analyst clicks to view a `.db` file during iOS static analysis\n\n### Attack Scenario\n\n1. Attacker creates a malicious Android APK (or iOS IPA) containing a SQLite database with a crafted table name in the `assets/` directory\n2. The SQLite database contains a table created with:\n   ```sql\n   CREATE TABLE \"x\u0027 UNION SELECT \u0027SQL_INJECTION_PROOF\u0027--\" (id INTEGER);\n   ```\n3. Security analyst uploads the application to MobSF for analysis\n4. Analyst browses the extracted files and clicks to view the SQLite database\n5. MobSF\u0027s `read_sqlite()` reads table names from `sqlite_master`, including the malicious name `x\u0027 UNION SELECT \u0027SQL_INJECTION_PROOF\u0027--`\n6. The table name is interpolated into SQL queries via string formatting:\n   - `PRAGMA table_info(\u0027x\u0027 UNION SELECT \u0027SQL_INJECTION_PROOF\u0027--\u0027)` -- causes syntax error (DoS)\n   - `SELECT * FROM \u0027x\u0027 UNION SELECT \u0027SQL_INJECTION_PROOF\u0027--\u0027` -- SQL injection (UNION SELECT returns attacker data)\n\n## Impact\n\n### Denial of Service (Confirmed)\n\nWhen the malicious table name is the first table in `sqlite_master` (i.e., created first in the database), the `PRAGMA` statement on line 553 raises a `sqlite3.OperationalError`, which is caught by the outer `try/except`. This causes `read_sqlite()` to return an empty or partial result, preventing the analyst from viewing **any** database content.\n\n**Security impact:** A malicious app author can use this technique to **hide incriminating data** stored in SQLite databases from MobSF\u0027s analysis. This directly undermines MobSF\u0027s core purpose as a security analysis tool.\n\n### SQL Injection (Confirmed in Isolation)\n\nThe `SELECT * FROM` query on line 557 is demonstrably injectable. When the malicious table name `x\u0027 UNION SELECT \u0027SQL_INJECTION_PROOF\u0027--` is interpolated, the resulting query:\n\n```sql\nSELECT * FROM \u0027x\u0027 UNION SELECT \u0027SQL_INJECTION_PROOF\u0027--\u0027\n```\n\nSuccessfully executes and returns attacker-controlled data via `UNION SELECT`. The `--` comments out the trailing single quote. This is verified by the PoC script.\n\n**Note:** In the current code structure, the `PRAGMA table_info()` statement on line 553 runs before the `SELECT * FROM` on line 557. The PRAGMA fails with a syntax error for injected payloads, which triggers the exception handler before the SELECT can execute. This limits the full exploitation chain. However, the code flaw is real and any future refactoring that changes the execution order or removes the PRAGMA would immediately expose the full SQL injection.\n\n## Proof of Concept\n\n### Files Provided(Gdrive)\n\n| File | Description |\n|------|-------------|\n| `poc_sqlite_injection.py` | Standalone PoC demonstrating the vulnerability |\n| `malicious.db` | Crafted SQLite database (generated by PoC) |\n| `create_malicious_apk.sh` | Script to package the malicious DB into an APK |\n| `malicious_sqli.apk` | Pre-built APK for testing against MobSF |\n\nhttps://drive.google.com/drive/folders/1mNGkFfNowkaZ5J018HFi4IQcnjKaWCym?usp=sharing\n\n\n### Running the PoC\n\n```bash\n# Run the standalone PoC (no MobSF required)\npython3 poc_sqlite_injection.py\n\n# Build the malicious APK (requires Android SDK)\n./create_malicious_apk.sh\n\n# Test against MobSF\n# 1. Start MobSF\n# 2. Upload malicious_sqli.apk\n# 3. Browse extracted files -\u003e click app_data.db\n# 4. Observe: database viewer fails (DoS)\n```\n\n### PoC Output (Abbreviated)\n\n```\n[STEP 2] Running MobSF\u0027s read_sqlite() against malicious database...\n    [!] EXCEPTION CAUGHT: OperationalError: near \"UNION\": syntax error\n    [!] DoS CONFIRMED: read_sqlite() crashed\n\n[STEP 3] Demonstrating SELECT * FROM injection in isolation...\n    Query: SELECT * FROM \u0027x\u0027 UNION SELECT \u0027SQL_INJECTION_PROOF\u0027--\u0027\n    [+] Query executed successfully!\n    [+] Results: [(\u0027SQL_INJECTION_PROOF\u0027,), (\u0027normal_data\u0027,)]\n    [+] SQL INJECTION CONFIRMED\n\n[STEP 4] Complete DoS (malicious table created first):\n    Tables with data: NONE\n    [!] COMPLETE DoS CONFIRMED\n```\n\n## Suggested Fix\n\nReplace string formatting with properly quoted identifiers. SQLite uses double quotes for identifiers:\n\n```python\ndef read_sqlite(sqlite_file):\n    \"\"\"Sqlite Dump - Readable Text.\"\"\"\n    table_dict = {}\n    try:\n        con = sqlite3.connect(sqlite_file)\n        cur = con.cursor()\n        cur.execute(\u0027SELECT name FROM sqlite_master WHERE type=\\\u0027table\\\u0027;\u0027)\n        tables = cur.fetchall()\n        for table in tables:\n            table_name = table[0]\n            # Properly escape table name as a double-quoted identifier\n            safe_name = table_name.replace(\u0027\"\u0027, \u0027\"\"\u0027)\n            table_dict[table_name] = {\u0027head\u0027: [], \u0027data\u0027: []}\n            cur.execute(f\u0027PRAGMA table_info(\"{safe_name}\")\u0027)\n            rows = cur.fetchall()\n            for sq_row in rows:\n                table_dict[table_name][\u0027head\u0027].append(sq_row[1])\n            cur.execute(f\u0027SELECT * FROM \"{safe_name}\"\u0027)\n            rows = cur.fetchall()\n            for sq_row in rows:\n                tmp_row = []\n                for each_row in sq_row:\n                    tmp_row.append(str(each_row))\n                table_dict[table_name][\u0027data\u0027].append(tmp_row)\n    except Exception:\n        logger.exception(\u0027Reading SQLite db\u0027)\n    return table_dict\n```\n\nThis escapes any double quotes within table names by doubling them (`\"` \u2192 `\"\"`), which is the standard SQL mechanism for identifier quoting. This prevents breakout from the double-quoted identifier context.\n\n## Resources\n\n- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\n- **OWASP SQL Injection**: https://owasp.org/www-community/attacks/SQL_Injection\n- **Affected File**: `mobsf/MobSF/utils.py`, lines 542-566",
  "id": "GHSA-hqjr-43r5-9q58",
  "modified": "2026-03-27T21:17:40Z",
  "published": "2026-03-24T19:23:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33545"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MobSF has SQL Injection in its SQLite Database Viewer Utils"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33545 (GCVE-0-2026-33545)

FKIE_CVE-2026-33545

GHSA-HQJR-43R5-9Q58

Description

Root Cause

Attack Vector

Attack Scenario

Impact

Denial of Service (Confirmed)

SQL Injection (Confirmed in Isolation)

Proof of Concept

Files Provided(Gdrive)

Running the PoC

PoC Output (Abbreviated)

Suggested Fix

Resources

Tags

Sightings

Nomenclature