CVE-2026-33545

Name of the Vulnerable Software and Affected Versions MobSF versions prior to 4.4.6

Description MobSF, a mobile application security testing tool, contains a flaw in its read sqlite() function located in mobsf/MobSF/utils.py (lines 542-566). This function utilizes Python string formatting (%) to construct SQL queries using table names obtained from a SQLite database's sqlite master table. When analyzing a malicious mobile application with a crafted SQLite database, attacker-controlled table names are directly interpolated into SQL queries without proper parameterization or escaping. This can lead to denial of service, as a malicious table name can cause the database viewer to crash, preventing analysis of the database content. It also allows for SQL injection via UNION SELECT, potentially enabling an attacker to retrieve attacker-controlled data. The vulnerable code is triggered when an analyst views a .db file during dynamic or static analysis. The PRAGMA table info() statement on line 553 and the SELECT * FROM query on line 557 are the injection points.

Recommendations Versions prior to 4.4.6: Upgrade to version 4.4.6 or later to address the issue. The suggested fix involves replacing string formatting with properly quoted identifiers, escaping any double quotes within table names by doubling them (" → "") to prevent breakout from the double-quoted identifier context.