CVE-2025-46335

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-46335
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting (XSS) vulnerability has been identified in MobSF versions up to and including 4.3.2. The vulnerability arises from improper sanitization of user-supplied SVG files during the Android APK analysis workflow. Version 4.3.3 fixes the issue.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6987a946485a795f4fd38cebdb4860b368a1995d Patch
https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-mwfg-948f-2cc5 Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*
History

28 May 2025, 20:06

Type Values Removed Values Added
CPE cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*
First Time Opensecurity
Opensecurity mobile Security Framework
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.4
Summary
  • (es) Mobile Security Framework (MobSF) es una plataforma de investigación de seguridad para aplicaciones móviles en Android, iOS y Windows Mobile. Se ha identificado una vulnerabilidad de cross-site scripting (XSS) almacenado en las versiones de MobSF hasta la 4.3.2. Esta vulnerabilidad surge de la limpieza incorrecta de los archivos SVG proporcionados por el usuario durante el flujo de trabajo de análisis de APK de Android. La versión 4.3.3 corrige el problema.
References () https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6987a946485a795f4fd38cebdb4860b368a1995d - () https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6987a946485a795f4fd38cebdb4860b368a1995d - Patch
References () https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-mwfg-948f-2cc5 - () https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-mwfg-948f-2cc5 - Exploit, Vendor Advisory

05 May 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-05 19:15

Updated : 2025-05-28 20:06

NVD link : CVE-2025-46335

Mitre link : CVE-2025-46335

CVE.ORG link : CVE-2025-46335

JSON object : View

Products Affected

opensecurity

  • mobile_security_framework
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')