CVE-2026-33545 MobSF has SQL Injection in its SQLite Database Viewer Utils

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst...

CVE-2026-33545

Summary: CVE-2026-33545 affects MobSF before 4.4.6, where read_sqlite() builds SQL queries by interpolating table names from sqlite_master using Python string formatting. This enables attacker-controlled table names to cause a DoS via a PRAGMA table_info() syntax error and, in isolation, SQL inje...

CVE-2026-33545

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst...

CVE-2026-33545 MobSF has SQL Injection in its SQLite Database Viewer Utils

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst...

GHSA-98C2-4CR3-4JC3 n8n has SQL Injection in Data Table Node via orderByColumn Expression

Impact An authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement...

EUVD-2026-15947

n8n has SQL Injection in Data Table Node via orderByColumn Expression...

CVE-2026-32763

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...

CVE-2026-32767

SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlyin...

PT-2026-28564

Name of the Vulnerable Software and Affected Versions Ella Core versions prior to 1.7.0 Description Ella Core is a 5G core designed for private networks. The NetworkManager role had backup and restore permissions. The restore endpoint accepted any valid SQLite file without content verification...

Improper Check for Unusual or Exceptional Conditions

Overview @grackle-ai/server is a Grackle server orchestrator — spawns and wires core gRPC, web-server HTTP, MCP, and PowerLine Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the JSON.parse process within the gRPC service adapter...

NightOwl

NightOwl Advanced Penetration Testing Framework A modula...

PT-2026-28080

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.26 n8n versions prior to 2.13.3 n8n versions prior to 2.14.1 Description n8n is a workflow automation platform susceptible to a SQL injection issue in the Data Table Get node. An authenticated user with appropriate...

SQLite <= 3.51.1 Information Disclosure

The version of SQLite installed on the remote host is prior to 3.51.2. It is, therefore, affected by an information disclosure issue where the zipfileInflate function, responsible for decompressing ZIP file contents, fails to properly validate or sanitize data during the inflation process. When...

GHSA-HQJR-43R5-9Q58 MobSF has SQL Injection in its SQLite Database Viewer Utils

Description MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst uses MobSF to analyze a malicious mobile application containing a craft...

SQL Injection

Overview mobsf is a Mobile Security Framework MobSF is an automated, all-in-one mobile application Android/iOS/Windows pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to SQL Injecti...

MobSF has SQL Injection in its SQLite Database Viewer Utils

Description MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst uses MobSF to analyze a malicious mobile application containing a craft...

PT-2026-27625

Name of the Vulnerable Software and Affected Versions MobSF versions prior to 4.4.6 Description MobSF, a mobile application security testing tool, contains a flaw in its read sqlite function located in mobsf/MobSF/utils.py lines 542-566. This function utilizes Python string formatting % to...

SUSE-SU-2026:20771-1 Security update for sqlite3

This update for sqlite3 fixes the following issues: Update to sqlite3 3.51.3: - CVE-2025-7709: Integer Overflow in FTS5 Extension bsc1254670. - CVE-2025-70873: SQLite zipfile extension may disclose uninitialized heap memory during inflation bsc1259619. Changelog: Update to version 3.51.3: Fix the...

CVE-2026-32763

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...

CVE-2026-32767

SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlyin...