VYPR

PyPI package

mobsf

pkg:pypi/mobsf

Vulnerabilities (17)

  • CVE-2026-33545MedMar 26, 2026
    affected < 4.4.6fixed 4.4.6

    MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master`

  • CVE-2026-24490Jan 27, 2026
    affected < 4.4.5fixed 4.4.5

    MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a

  • CVE-2025-58162Sep 2, 2025
    affected < 4.4.1fixed 4.4.1

    MobSF is a mobile application security testing tool used. In version 4.4.0, an authenticated user who uploaded a specially prepared one.a, can write arbitrary files to any directory writable by the user of the MobSF process. This issue has been patched in version 4.4.1.

  • CVE-2025-58161Sep 2, 2025
    affected < 4.4.1fixed 4.4.1

    MobSF is a mobile application security testing tool used. In version 4.4.0, the GET /download/ route uses string path verification via os.path.commonprefix, which allows an authenticated user to download files outside the DWD_DIR download directory from "neighboring" directories

  • CVE-2025-46730May 5, 2025
    affected <= 4.3.2

    MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that also host other security tools and web applications. Access to the MobSF web interface is often granted to internal security teams, audit tea

  • CVE-2025-46335May 5, 2025
    affected < 4.3.3fixed 4.3.3

    Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting (XSS) vulnerability has been identified in MobSF versions up to and including 4.3.2. The vulnerability arises from improper

  • CVE-2025-31116Mar 31, 2025
    affected < 4.3.2fixed 4.3.2

    Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.gethostbyname(), which is vulnerable to SSRF abuse using DNS reb

  • CVE-2025-24803Feb 5, 2025
    affected < 4.3.1fixed 4.3.1

    Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and

  • CVE-2025-24804Feb 5, 2025
    affected < 4.3.1fixed 4.3.1

    Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and

  • CVE-2025-24805Feb 5, 2025
    affected < 4.3.1fixed 4.3.1

    Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. A local user with minimal privileges is able to make use of an access token for materials for scopes which it sh

  • CVE-2024-53999Dec 3, 2024
    affected < 4.2.9fixed 4.2.9

    Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload

  • CVE-2024-54000Dec 3, 2024
    affected < 3.9.7fixed 3.9.7

    Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In versions prior to 3.9.7, the requests.get() request in the _check_url method is specified as allow_redirects=True, which al

  • CVE-2024-43399Aug 19, 2024
    affected < 4.0.7fixed 4.0.7

    Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Before 4.0.7, there is a flaw in the Static Libraries analysis section. Specifically, during the extraction of .a extension fi

  • CVE-2024-41955Jul 31, 2024
    affected < 4.0.5fixed 4.0.5

    Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. An open redirect vulnerability exist in MobSF authentication view. Update to MobSF v4.0.5.

  • CVE-2024-31215Apr 4, 2024
    affected < 3.9.8fixed 3.9.8

    Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organiz

  • CVE-2023-42261Sep 21, 2023
    affected < 3.9.7fixed 3.9.7

    Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication

  • CVE-2022-41547Oct 18, 2022
    affected < 0.9.3fixed 0.9.3

    Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request.