Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities by skylot
CVE-2026-54684 (GCVE-0-2026-54684)
Vulnerability from nvd – Published: 2026-07-14 21:46 – Updated: 2026-07-15 14:31
VLAI
EPSS
VEX
Title
jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run
Summary
jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JAR with URLClassLoader and ServiceLoader, executing attacker-controlled plugin code. This issue is fixed in version 1.5.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/skylot/jadx/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/skylot/jadx/commit/a74bb07d6ee… | x_refsource_MISC |
| https://github.com/skylot/jadx/releases/tag/v1.5.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54684",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:30:45.535910Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:31:05.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.2, \u003c 1.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JAR with URLClassLoader and ServiceLoader, executing attacker-controlled plugin code. This issue is fixed in version 1.5.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:46:29.373Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v"
},
{
"name": "https://github.com/skylot/jadx/commit/a74bb07d6eebaf4da5c2b2cbc4d3c0c3cb7517cb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/commit/a74bb07d6eebaf4da5c2b2cbc4d3c0c3cb7517cb"
},
{
"name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
}
],
"source": {
"advisory": "GHSA-gpvc-ccw7-744v",
"discovery": "UNKNOWN"
},
"title": "jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54684",
"datePublished": "2026-07-14T21:46:29.373Z",
"dateReserved": "2026-06-15T22:53:58.561Z",
"dateUpdated": "2026-07-15T14:31:05.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42447 (GCVE-0-2026-42447)
Vulnerability from nvd – Published: 2026-07-14 21:45 – Updated: 2026-07-15 17:39
VLAI
EPSS
VEX
Title
jadx: HTML Injection in Summary panel
Summary
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/skylot/jadx/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/skylot/jadx/commit/7713655feeb… | x_refsource_MISC |
| https://github.com/skylot/jadx/releases/tag/v1.5.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42447",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T17:39:21.622156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T17:39:26.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:45:33.878Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4"
},
{
"name": "https://github.com/skylot/jadx/commit/7713655feeb8e1c4b80797e8fc0e8eb1550b65ef",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/commit/7713655feeb8e1c4b80797e8fc0e8eb1550b65ef"
},
{
"name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
}
],
"source": {
"advisory": "GHSA-jwv3-q635-w9m4",
"discovery": "UNKNOWN"
},
"title": "jadx: HTML Injection in Summary panel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42447",
"datePublished": "2026-07-14T21:45:33.878Z",
"dateReserved": "2026-04-27T13:55:58.693Z",
"dateUpdated": "2026-07-15T17:39:26.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42049 (GCVE-0-2026-42049)
Vulnerability from nvd – Published: 2026-07-14 21:44 – Updated: 2026-07-15 13:26
VLAI
EPSS
VEX
Title
jadx: RCE Via Groovy Code Injection in Gradle Export
Summary
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/skylot/jadx/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/skylot/jadx/commit/5a6e660b466… | x_refsource_MISC |
| https://github.com/skylot/jadx/releases/tag/v1.5.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:20:40.319570Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:26:06.033Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:44:25.018Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/skylot/jadx/security/advisories/GHSA-w6f5-h4x4-rfpj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-w6f5-h4x4-rfpj"
},
{
"name": "https://github.com/skylot/jadx/commit/5a6e660b4663d998d52c7dc4511299f3368ef611",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/commit/5a6e660b4663d998d52c7dc4511299f3368ef611"
},
{
"name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
}
],
"source": {
"advisory": "GHSA-w6f5-h4x4-rfpj",
"discovery": "UNKNOWN"
},
"title": "jadx: RCE Via Groovy Code Injection in Gradle Export"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42049",
"datePublished": "2026-07-14T21:44:25.018Z",
"dateReserved": "2026-04-23T16:05:01.709Z",
"dateUpdated": "2026-07-15T13:26:06.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32653 (GCVE-0-2024-32653)
Vulnerability from nvd – Published: 2024-04-22 22:13 – Updated: 2024-08-02 02:13
VLAI
EPSS
VEX
Title
Insufficient input filtering of "package name" allows command execution in the device with shell privileges
Summary
jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/skylot/jadx/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/skylot/jadx/blob/9114821fb1255… | x_refsource_MISC |
| https://github.com/skylot/jadx/releases/tag/v1.5.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:skylot:jadx:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32653",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T15:17:46.461498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:32:11.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm"
},
{
"name": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109"
},
{
"name": "https://github.com/skylot/jadx/releases/tag/v1.5.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/skylot/jadx/releases/tag/v1.5.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-22T22:13:47.917Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm"
},
{
"name": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109"
},
{
"name": "https://github.com/skylot/jadx/releases/tag/v1.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/releases/tag/v1.5.0"
}
],
"source": {
"advisory": "GHSA-3pp3-hg2q-9gpm",
"discovery": "UNKNOWN"
},
"title": "Insufficient input filtering of \"package name\" allows command execution in the device with shell privileges"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32653",
"datePublished": "2024-04-22T22:13:47.917Z",
"dateReserved": "2024-04-16T14:15:26.876Z",
"dateUpdated": "2024-08-02T02:13:40.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39259 (GCVE-0-2022-39259)
Vulnerability from nvd – Published: 2022-10-21 00:00 – Updated: 2025-04-22 17:18
VLAI
EPSS
VEX
Title
Jadx-gui subject to Denial of Service via Swing HTML rendering
Summary
jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-3r7j-8mqh-6qhx"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39259",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:43:22.956688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:18:05.407Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-21T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-3r7j-8mqh-6qhx"
}
],
"source": {
"advisory": "GHSA-3r7j-8mqh-6qhx",
"discovery": "UNKNOWN"
},
"title": "Jadx-gui subject to Denial of Service via Swing HTML rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39259",
"datePublished": "2022-10-21T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:18:05.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0219 (GCVE-0-2022-0219)
Vulnerability from nvd – Published: 2022-01-20 16:30 – Updated: 2024-08-02 23:18
VLAI
EPSS
VEX
Title
Improper Restriction of XML External Entity Reference in skylot/jadx
Summary
Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.
Severity
5.5 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/0d093863-29e8-4dd7-a88… | x_refsource_CONFIRM |
| https://github.com/skylot/jadx/commit/d22db30166e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| skylot | skylot/jadx |
Affected:
unspecified , < 1.3.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "skylot/jadx",
"vendor": "skylot",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-20T16:30:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
}
],
"source": {
"advisory": "0d093863-29e8-4dd7-a885-64f76d50bf5e",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of XML External Entity Reference in skylot/jadx",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0219",
"STATE": "PUBLIC",
"TITLE": "Improper Restriction of XML External Entity Reference in skylot/jadx"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "skylot/jadx",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.3.2"
}
]
}
}
]
},
"vendor_name": "skylot"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
},
{
"name": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52",
"refsource": "MISC",
"url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
}
]
},
"source": {
"advisory": "0d093863-29e8-4dd7-a885-64f76d50bf5e",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0219",
"datePublished": "2022-01-20T16:30:11.000Z",
"dateReserved": "2022-01-13T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:18:42.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-54684 (GCVE-0-2026-54684)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:46 – Updated: 2026-07-15 14:31
VLAI
EPSS
VEX
Title
jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run
Summary
jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JAR with URLClassLoader and ServiceLoader, executing attacker-controlled plugin code. This issue is fixed in version 1.5.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/skylot/jadx/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/skylot/jadx/commit/a74bb07d6ee… | x_refsource_MISC |
| https://github.com/skylot/jadx/releases/tag/v1.5.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54684",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T14:30:45.535910Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T14:31:05.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.5.2, \u003c 1.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JAR with URLClassLoader and ServiceLoader, executing attacker-controlled plugin code. This issue is fixed in version 1.5.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:46:29.373Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v"
},
{
"name": "https://github.com/skylot/jadx/commit/a74bb07d6eebaf4da5c2b2cbc4d3c0c3cb7517cb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/commit/a74bb07d6eebaf4da5c2b2cbc4d3c0c3cb7517cb"
},
{
"name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
}
],
"source": {
"advisory": "GHSA-gpvc-ccw7-744v",
"discovery": "UNKNOWN"
},
"title": "jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54684",
"datePublished": "2026-07-14T21:46:29.373Z",
"dateReserved": "2026-06-15T22:53:58.561Z",
"dateUpdated": "2026-07-15T14:31:05.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42447 (GCVE-0-2026-42447)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:45 – Updated: 2026-07-15 17:39
VLAI
EPSS
VEX
Title
jadx: HTML Injection in Summary panel
Summary
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/skylot/jadx/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/skylot/jadx/commit/7713655feeb… | x_refsource_MISC |
| https://github.com/skylot/jadx/releases/tag/v1.5.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42447",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T17:39:21.622156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T17:39:26.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:45:33.878Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4"
},
{
"name": "https://github.com/skylot/jadx/commit/7713655feeb8e1c4b80797e8fc0e8eb1550b65ef",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/commit/7713655feeb8e1c4b80797e8fc0e8eb1550b65ef"
},
{
"name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
}
],
"source": {
"advisory": "GHSA-jwv3-q635-w9m4",
"discovery": "UNKNOWN"
},
"title": "jadx: HTML Injection in Summary panel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42447",
"datePublished": "2026-07-14T21:45:33.878Z",
"dateReserved": "2026-04-27T13:55:58.693Z",
"dateUpdated": "2026-07-15T17:39:26.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42049 (GCVE-0-2026-42049)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:44 – Updated: 2026-07-15 13:26
VLAI
EPSS
VEX
Title
jadx: RCE Via Groovy Code Injection in Gradle Export
Summary
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/skylot/jadx/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/skylot/jadx/commit/5a6e660b466… | x_refsource_MISC |
| https://github.com/skylot/jadx/releases/tag/v1.5.6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:20:40.319570Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:26:06.033Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:44:25.018Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/skylot/jadx/security/advisories/GHSA-w6f5-h4x4-rfpj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-w6f5-h4x4-rfpj"
},
{
"name": "https://github.com/skylot/jadx/commit/5a6e660b4663d998d52c7dc4511299f3368ef611",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/commit/5a6e660b4663d998d52c7dc4511299f3368ef611"
},
{
"name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
}
],
"source": {
"advisory": "GHSA-w6f5-h4x4-rfpj",
"discovery": "UNKNOWN"
},
"title": "jadx: RCE Via Groovy Code Injection in Gradle Export"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42049",
"datePublished": "2026-07-14T21:44:25.018Z",
"dateReserved": "2026-04-23T16:05:01.709Z",
"dateUpdated": "2026-07-15T13:26:06.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32653 (GCVE-0-2024-32653)
Vulnerability from cvelistv5 – Published: 2024-04-22 22:13 – Updated: 2024-08-02 02:13
VLAI
EPSS
VEX
Title
Insufficient input filtering of "package name" allows command execution in the device with shell privileges
Summary
jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/skylot/jadx/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/skylot/jadx/blob/9114821fb1255… | x_refsource_MISC |
| https://github.com/skylot/jadx/releases/tag/v1.5.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:skylot:jadx:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32653",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-23T15:17:46.461498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T17:32:11.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.330Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm"
},
{
"name": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109"
},
{
"name": "https://github.com/skylot/jadx/releases/tag/v1.5.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/skylot/jadx/releases/tag/v1.5.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-22T22:13:47.917Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm"
},
{
"name": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109"
},
{
"name": "https://github.com/skylot/jadx/releases/tag/v1.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/releases/tag/v1.5.0"
}
],
"source": {
"advisory": "GHSA-3pp3-hg2q-9gpm",
"discovery": "UNKNOWN"
},
"title": "Insufficient input filtering of \"package name\" allows command execution in the device with shell privileges"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32653",
"datePublished": "2024-04-22T22:13:47.917Z",
"dateReserved": "2024-04-16T14:15:26.876Z",
"dateUpdated": "2024-08-02T02:13:40.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39259 (GCVE-0-2022-39259)
Vulnerability from cvelistv5 – Published: 2022-10-21 00:00 – Updated: 2025-04-22 17:18
VLAI
EPSS
VEX
Title
Jadx-gui subject to Denial of Service via Swing HTML rendering
Summary
jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-3r7j-8mqh-6qhx"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39259",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:43:22.956688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:18:05.407Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jadx",
"vendor": "skylot",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-21T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/skylot/jadx/security/advisories/GHSA-3r7j-8mqh-6qhx"
}
],
"source": {
"advisory": "GHSA-3r7j-8mqh-6qhx",
"discovery": "UNKNOWN"
},
"title": "Jadx-gui subject to Denial of Service via Swing HTML rendering"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39259",
"datePublished": "2022-10-21T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:18:05.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0219 (GCVE-0-2022-0219)
Vulnerability from cvelistv5 – Published: 2022-01-20 16:30 – Updated: 2024-08-02 23:18
VLAI
EPSS
VEX
Title
Improper Restriction of XML External Entity Reference in skylot/jadx
Summary
Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.
Severity
5.5 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/0d093863-29e8-4dd7-a88… | x_refsource_CONFIRM |
| https://github.com/skylot/jadx/commit/d22db30166e… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| skylot | skylot/jadx |
Affected:
unspecified , < 1.3.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "skylot/jadx",
"vendor": "skylot",
"versions": [
{
"lessThan": "1.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-20T16:30:11.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
}
],
"source": {
"advisory": "0d093863-29e8-4dd7-a885-64f76d50bf5e",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of XML External Entity Reference in skylot/jadx",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0219",
"STATE": "PUBLIC",
"TITLE": "Improper Restriction of XML External Entity Reference in skylot/jadx"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "skylot/jadx",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.3.2"
}
]
}
}
]
},
"vendor_name": "skylot"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611 Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
},
{
"name": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52",
"refsource": "MISC",
"url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
}
]
},
"source": {
"advisory": "0d093863-29e8-4dd7-a885-64f76d50bf5e",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0219",
"datePublished": "2022-01-20T16:30:11.000Z",
"dateReserved": "2022-01-13T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:18:42.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}