cbcvebase.

Opensecurity Mobile Security Framework vulnerabilities

18 known vulnerabilities affecting opensecurity/mobile_security_framework.

Total CVEs
18
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH4MEDIUM12

Vulnerabilities

Page 1 of 1
CVE-2024-43399P3CRITICALCVSS 9.8fixed in 4.0.72024-08-19
CVE-2024-43399 [CRITICAL] CWE-23 CVE-2024-43399: Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framewo Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Before 4.0.7, there is a flaw in the Static Libraries analysis section. Specifically, during the extraction of .a extension files, the measure intended to prevent Zip Slip attacks is improperly im
nvd
CVE-2024-41955P4MEDIUMCVSS 5.4PoCfixed in 4.0.52024-07-31
CVE-2024-41955 [MEDIUM] CWE-601 CVE-2024-41955: Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. An open redirect vulnerability exist in MobSF authentication view. Update to MobSF v4.0.5.
nvd
CVE-2025-31116P3CRITICALCVSS 9.8fixed in 4.3.22025-03-31
CVE-2025-31116 [CRITICAL] CVE-2025-31116: Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framewo Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.gethostbyname(), which is vulnerable to SSRF abuse using DNS rebinding technique. This vulnerability is fixed in 4.3.2.
nvd
CVE-2023-42261P3HIGHCVSS 7.5≤ 3.7.6v3.7.82023-09-21
CVE-2023-42261 [HIGH] CWE-276 CVE-2023-42261: Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the ven Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server.
nvd
CVE-2024-29190P3HIGHCVSS 7.5fixed in 3.9.72024-03-22
CVE-2024-29190 [HIGH] CWE-918 CVE-2024-29190: Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framewo Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input validation when extracting the hostnames in `android:host`, so requests can also be sent to local hostnames. This can lead to server-
nvd
CVE-2024-54000P3HIGHCVSS 7.5fixed in 3.9.72024-12-03
CVE-2024-54000 [HIGH] CVE-2024-54000: Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framewo Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In versions prior to 3.9.7, the requests.get() request in the _check_url method is specified as allow_redirects=True, which allows a server-side request forgery when a request to .well-known/assetlinks.json"
nvd
CVE-2022-41547P3HIGHCVSS 7.5≤ 0.9.22022-10-18
CVE-2022-41547 [HIGH] CWE-98 CVE-2022-41547: Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request.
nvd
CVE-2025-58162P3MEDIUMCVSS 6.5v4.4.02025-09-02
CVE-2025-58162 [MEDIUM] CWE-22 CVE-2025-58162: MobSF is a mobile application security testing tool used. In version 4.4.0, an authenticated user wh MobSF is a mobile application security testing tool used. In version 4.4.0, an authenticated user who uploaded a specially prepared one.a, can write arbitrary files to any directory writable by the user of the MobSF process. This issue has been patched in version 4.4.1.
nvd
CVE-2025-46730P3MEDIUMCVSS 6.5fixed in 4.3.32025-05-05
CVE-2025-46730 [MEDIUM] CWE-409 CVE-2025-46730: MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralize MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that also host other security tools and web applications. Access to the MobSF web interface is often granted to internal security teams, audit teams, and external vendors. MobSF provides a feature that allows users to
nvd
CVE-2026-33545P3MEDIUMCVSS 6.5fixed in 4.4.62026-03-26
CVE-2026-33545 [MEDIUM] CWE-89 CVE-2026-33545: MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqli MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a security analyst uses MobSF to analyze a malicious mobile
nvd
CVE-2025-58161P4MEDIUMCVSS 4.3v4.4.02025-09-02
CVE-2025-58161 [MEDIUM] CWE-22 CVE-2025-58161: MobSF is a mobile application security testing tool used. In version 4.4.0, the GET /download/ route MobSF is a mobile application security testing tool used. In version 4.4.0, the GET /download/ route uses string path verification via os.path.commonprefix, which allows an authenticated user to download files outside the DWD_DIR download directory from "neighboring" directories whose absolute paths begin with the same prefix as DWD_DIR (e.g., .../do
nvd
CVE-2024-53999P4MEDIUMCVSS 5.4fixed in 4.2.92024-12-03
CVE-2024-53999 [MEDIUM] CWE-79 CVE-2024-53999: Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framewo Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload a script file to the system. When users in the application use the "Diff
nvd
CVE-2025-24803P4MEDIUMCVSS 5.4v4.3.02025-02-05
CVE-2025-24803 [MEDIUM] CWE-79 CVE-2025-24803: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Window Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). However, an attacker can manually mo
nvd
CVE-2025-46335P4MEDIUMCVSS 5.4fixed in 4.3.32025-05-05
CVE-2025-46335 [MEDIUM] CWE-79 CVE-2025-46335: Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting (XSS) vulnerability has been identified in MobSF versions up to and including 4.3.2. The vulnerability arises from improper sanitization of user-supplied SVG files during the Android APK analysis
nvd
CVE-2025-24805P4MEDIUMCVSS 5.5fixed in 4.3.12025-02-05
CVE-2025-24805 [MEDIUM] CWE-269 CVE-2025-24805: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Window Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. A local user with minimal privileges is able to make use of an access token for materials for scopes which it should not be accepted. This issue has been addressed in version 4.3.1 an
nvd
CVE-2024-31215P4MEDIUMCVSS 4.3fixed in 3.9.82024-04-04
CVE-2024-31215 [MEDIUM] CWE-918 CVE-2024-31215: Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When a malicious app is uploaded to Static anal
nvd
CVE-2026-24490P4MEDIUMCVSS 4.8fixed in 4.4.52026-01-27
CVE-2026-24490 [MEDIUM] CWE-79 CVE-2026-24490: MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-sit MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `` elements is rendered
nvd
CVE-2025-24804P4MEDIUMCVSS 4.3fixed in 4.3.12025-02-05
CVE-2025-24804 [MEDIUM] CWE-1287 CVE-2025-24804: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Window Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). However, an attacker can manually
nvd
Opensecurity Mobile Security Framework vulnerabilities | cvebase