MobSF - Path Traversal

MobSF is vulnerable to an issue with apktool CVE-2024-21633 that allows for RCE or arbitrary file writing. It does this through a path traversal vulnerability. This template tests for it by writing to a local file and reading that file. RCE can be achieved by overwriting jadx, as shown in the two...

Open Redirect in Login Redirect - MobSF

Mobile Security Framework MobSF is a security research platform for mobile applications in Android, iOS and Windows Mobile. An open redirect vulnerability exist in MobSF authentication view. id: CVE-2024-41955 info: name: Open Redirect in Login Redirect - MobSF author: Farish severity: medium...

bagbag (>=0.72.2 <=0.75.43), chameli (>=0.1.9 <=0.1.13) +29 more potentially affected by CVE-2026-40606 via mitmproxy (>=0.17.0 <=12.2.1)

mitmproxy PYPI version =0.17.0, =0.72.2, =0.1.9, =0.1.0, =0.0.0, =4.0.0, =0.34.0, =0.14.1, =4.0.0, =0.11.0, =3.7.6, =2.0.0b0, =1.0.0, =0.9.0, =1.1.0 and more Source cves: CVE-2026-40606 Source advisory: OSV:PYSEC-2026-92...

CVE-2026-33545

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst...

CVE-2026-33545

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst...

CVE-2026-33545

Summary: CVE-2026-33545 affects MobSF before 4.4.6, where read_sqlite() builds SQL queries by interpolating table names from sqlite_master using Python string formatting. This enables attacker-controlled table names to cause a DoS via a PRAGMA table_info() syntax error and, in isolation, SQL inje...

CVE-2026-33545

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst...

CVE-2026-33545 MobSF has SQL Injection in its SQLite Database Viewer Utils

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst...

MobSF has SQL Injection in its SQLite Database Viewer Utils

Description MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst uses MobSF to analyze a malicious mobile application containing a craft...

CVE-2026-33545

creationtimestamp| type| source ---|---|--- 2026-03-21 21:50:45+00:00| published-proof-of-concept| https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-hqjr-43r5-9q58 2026-03-21 21:50:45+00:00| published-proof-of-concept|...

CVE-2026-24490

MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting XSS vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The...

CVE-2026-24490

MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting XSS vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The...

CVE-2026-24490 MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field

MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting XSS vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The...

CVE-2026-24490 MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field

MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting XSS vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The...

Cross-site Scripting (XSS)

Overview mobsf is a Mobile Security Framework MobSF is an automated, all-in-one mobile application Android/iOS/Windows pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Cross-site...

MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field

Summary A Stored Cross-site Scripting XSS vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The android:host attribute from elements is rendered in HTML reports without...

EUVD-2025-13409

Malicious code in bioql PyPI...

EUVD-2025-26368

Malicious code in bioql PyPI...

EUVD-2025-0241

Malicious code in bioql PyPI...

Directory Traversal

mobsf is vulnerable to Directory Traversal. The vulnerability is due to improper string path verification using os.path.commonprefix, which allows an attacker to download files outside the intended DWDDIR directory and access data from neighboring directories...