CVE-2025-46335 Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload

🗓️ 05 May 2025 18:23:59Reported by GitHub_MType

CVE-2025-46335 in MobSF allows XSS via SVG icon upload; fixed in version 4.3.3.

Reporter	Title	Published	Views	Family All 15
BDU FSTEC	The vulnerability of the Mobile Security Framework (MobSF), which stems from the lack of protective measures for website structures, allows attackers to carry out cross-site scripting attacks.	1 Aug 202500:00	–	bdu_fstec
Circl	CVE-2025-46335	4 May 202523:34	–	circl
CNNVD	Mobile Security Framework（MobSF）跨站脚本漏洞	5 May 202500:00	–	cnnvd
CVE	CVE-2025-46335	5 May 202518:23	–	cve
EUVD	EUVD-2025-13371	3 Oct 202520:07	–	euvd
Github Security Blog	Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload	5 May 202514:55	–	github
NVD	CVE-2025-46335	5 May 202519:15	–	nvd
OSV	CVE-2025-46335 Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload	5 May 202518:23	–	osv
OSV	GHSA-MWFG-948F-2CC5 Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload	5 May 202514:55	–	osv
Positive Technologies	PT-2025-19768 · Mobsf +1 · Mobsf +1	5 May 202500:00	–	ptsecurity

[
  {
    "vendor": "MobSF",
    "product": "Mobile-Security-Framework-MobSF",
    "versions": [
      {
        "version": "< 4.3.3",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6987a946485a795f4fd38cebdb4860b368a1995d
github	www.github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-mwfg-948f-2cc5

05 May 2025 18:23Current

CVSS 48.6

EPSS0.00202

CWE-79