SCA: security update for mobsf (GHSA-hqjr-43r5-9q58)

medium Tenable Self-Hosted Container Security Plugin ID 439182

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()`
function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL
queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses
MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled
table names are interpolated directly into SQL queries without parameterization or escaping. This allows
an attacker to cause denial of service and achieve SQL injection. Version 4.4.6 patches the issue.
(CVE-2026-33545)

Solution

Update the mobsf library and its related packages to version 4.4.6 or later.

See Also

https://github.com/advisories/GHSA-hqjr-43r5-9q58

Plugin Details

Severity: Medium

ID: 439182

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 3/25/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-33545

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/24/2026

Vulnerability Publication Date: 3/24/2026

Reference Information

CVE: CVE-2026-33545

cwe: CWE-89