Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    12 vulnerabilities by skylot

    CVE-2026-54684 (GCVE-0-2026-54684)

    Vulnerability from nvd – Published: 2026-07-14 21:46 – Updated: 2026-07-15 14:31
    VLAI
    Title
    jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run
    Summary
    jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JAR with URLClassLoader and ServiceLoader, executing attacker-controlled plugin code. This issue is fixed in version 1.5.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    skylot jadx Affected: >= 1.5.2, < 1.5.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54684",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:30:45.535910Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:31:05.749Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.5.2, \u003c 1.5.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JAR with URLClassLoader and ServiceLoader, executing attacker-controlled plugin code. This issue is fixed in version 1.5.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T21:46:29.373Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v"
            },
            {
              "name": "https://github.com/skylot/jadx/commit/a74bb07d6eebaf4da5c2b2cbc4d3c0c3cb7517cb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/commit/a74bb07d6eebaf4da5c2b2cbc4d3c0c3cb7517cb"
            },
            {
              "name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
            }
          ],
          "source": {
            "advisory": "GHSA-gpvc-ccw7-744v",
            "discovery": "UNKNOWN"
          },
          "title": "jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54684",
        "datePublished": "2026-07-14T21:46:29.373Z",
        "dateReserved": "2026-06-15T22:53:58.561Z",
        "dateUpdated": "2026-07-15T14:31:05.749Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42447 (GCVE-0-2026-42447)

    Vulnerability from nvd – Published: 2026-07-14 21:45 – Updated: 2026-07-15 17:39
    VLAI
    Title
    jadx: HTML Injection in Summary panel
    Summary
    jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    skylot jadx Affected: < 1.5.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42447",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T17:39:21.622156Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T17:39:26.549Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.6,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T21:45:33.878Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4"
            },
            {
              "name": "https://github.com/skylot/jadx/commit/7713655feeb8e1c4b80797e8fc0e8eb1550b65ef",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/commit/7713655feeb8e1c4b80797e8fc0e8eb1550b65ef"
            },
            {
              "name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
            }
          ],
          "source": {
            "advisory": "GHSA-jwv3-q635-w9m4",
            "discovery": "UNKNOWN"
          },
          "title": "jadx: HTML Injection in Summary panel"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42447",
        "datePublished": "2026-07-14T21:45:33.878Z",
        "dateReserved": "2026-04-27T13:55:58.693Z",
        "dateUpdated": "2026-07-15T17:39:26.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42049 (GCVE-0-2026-42049)

    Vulnerability from nvd – Published: 2026-07-14 21:44 – Updated: 2026-07-15 13:26
    VLAI
    Title
    jadx: RCE Via Groovy Code Injection in Gradle Export
    Summary
    jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    skylot jadx Affected: < 1.5.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42049",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T13:20:40.319570Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T13:26:06.033Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T21:44:25.018Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/skylot/jadx/security/advisories/GHSA-w6f5-h4x4-rfpj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/skylot/jadx/security/advisories/GHSA-w6f5-h4x4-rfpj"
            },
            {
              "name": "https://github.com/skylot/jadx/commit/5a6e660b4663d998d52c7dc4511299f3368ef611",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/commit/5a6e660b4663d998d52c7dc4511299f3368ef611"
            },
            {
              "name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
            }
          ],
          "source": {
            "advisory": "GHSA-w6f5-h4x4-rfpj",
            "discovery": "UNKNOWN"
          },
          "title": "jadx: RCE Via Groovy Code Injection in Gradle Export"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42049",
        "datePublished": "2026-07-14T21:44:25.018Z",
        "dateReserved": "2026-04-23T16:05:01.709Z",
        "dateUpdated": "2026-07-15T13:26:06.033Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-32653 (GCVE-0-2024-32653)

    Vulnerability from nvd – Published: 2024-04-22 22:13 – Updated: 2024-08-02 02:13
    VLAI
    Title
    Insufficient input filtering of "package name" allows command execution in the device with shell privileges
    Summary
    jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    skylot jadx Affected: < 1.5.0
    Create a notification for this product.
    skylot jadx Affected: 0 , < 1.5.0 (semver)
        cpe:2.3:a:skylot:jadx:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:skylot:jadx:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jadx",
                "vendor": "skylot",
                "versions": [
                  {
                    "lessThan": "1.5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32653",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-23T15:17:46.461498Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-06T17:32:11.148Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:13:40.330Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm"
              },
              {
                "name": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109"
              },
              {
                "name": "https://github.com/skylot/jadx/releases/tag/v1.5.0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/skylot/jadx/releases/tag/v1.5.0"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "jadx is a  Dex to Java decompiler. Prior to version 1.5.0,  the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-22T22:13:47.917Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm"
            },
            {
              "name": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109"
            },
            {
              "name": "https://github.com/skylot/jadx/releases/tag/v1.5.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/releases/tag/v1.5.0"
            }
          ],
          "source": {
            "advisory": "GHSA-3pp3-hg2q-9gpm",
            "discovery": "UNKNOWN"
          },
          "title": "Insufficient input filtering of \"package name\" allows command execution in the device with shell privileges"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-32653",
        "datePublished": "2024-04-22T22:13:47.917Z",
        "dateReserved": "2024-04-16T14:15:26.876Z",
        "dateUpdated": "2024-08-02T02:13:40.330Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-39259 (GCVE-0-2022-39259)

    Vulnerability from nvd – Published: 2022-10-21 00:00 – Updated: 2025-04-22 17:18
    VLAI
    Title
    Jadx-gui subject to Denial of Service via Swing HTML rendering
    Summary
    jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    skylot jadx Affected: < 1.4.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:00:43.352Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/skylot/jadx/security/advisories/GHSA-3r7j-8mqh-6qhx"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-39259",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-22T15:43:22.956688Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-22T17:18:05.407Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.4.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-21T00:00:00.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/skylot/jadx/security/advisories/GHSA-3r7j-8mqh-6qhx"
            }
          ],
          "source": {
            "advisory": "GHSA-3r7j-8mqh-6qhx",
            "discovery": "UNKNOWN"
          },
          "title": "Jadx-gui subject to Denial of Service via  Swing HTML rendering"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-39259",
        "datePublished": "2022-10-21T00:00:00.000Z",
        "dateReserved": "2022-09-02T00:00:00.000Z",
        "dateUpdated": "2025-04-22T17:18:05.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0219 (GCVE-0-2022-0219)

    Vulnerability from nvd – Published: 2022-01-20 16:30 – Updated: 2024-08-02 23:18
    VLAI
    Title
    Improper Restriction of XML External Entity Reference in skylot/jadx
    Summary
    Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    skylot skylot/jadx Affected: unspecified , < 1.3.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:18:42.982Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "skylot/jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "lessThan": "1.3.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-20T16:30:11.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
            }
          ],
          "source": {
            "advisory": "0d093863-29e8-4dd7-a885-64f76d50bf5e",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Restriction of XML External Entity Reference in skylot/jadx",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-0219",
              "STATE": "PUBLIC",
              "TITLE": "Improper Restriction of XML External Entity Reference in skylot/jadx"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "skylot/jadx",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.3.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "skylot"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611 Improper Restriction of XML External Entity Reference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
                },
                {
                  "name": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52",
                  "refsource": "MISC",
                  "url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
                }
              ]
            },
            "source": {
              "advisory": "0d093863-29e8-4dd7-a885-64f76d50bf5e",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-0219",
        "datePublished": "2022-01-20T16:30:11.000Z",
        "dateReserved": "2022-01-13T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:18:42.982Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-54684 (GCVE-0-2026-54684)

    Vulnerability from cvelistv5 – Published: 2026-07-14 21:46 – Updated: 2026-07-15 14:31
    VLAI
    Title
    jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run
    Summary
    jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JAR with URLClassLoader and ServiceLoader, executing attacker-controlled plugin code. This issue is fixed in version 1.5.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    skylot jadx Affected: >= 1.5.2, < 1.5.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54684",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:30:45.535910Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:31:05.749Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.5.2, \u003c 1.5.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JAR with URLClassLoader and ServiceLoader, executing attacker-controlled plugin code. This issue is fixed in version 1.5.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T21:46:29.373Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/skylot/jadx/security/advisories/GHSA-gpvc-ccw7-744v"
            },
            {
              "name": "https://github.com/skylot/jadx/commit/a74bb07d6eebaf4da5c2b2cbc4d3c0c3cb7517cb",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/commit/a74bb07d6eebaf4da5c2b2cbc4d3c0c3cb7517cb"
            },
            {
              "name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
            }
          ],
          "source": {
            "advisory": "GHSA-gpvc-ccw7-744v",
            "discovery": "UNKNOWN"
          },
          "title": "jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54684",
        "datePublished": "2026-07-14T21:46:29.373Z",
        "dateReserved": "2026-06-15T22:53:58.561Z",
        "dateUpdated": "2026-07-15T14:31:05.749Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42447 (GCVE-0-2026-42447)

    Vulnerability from cvelistv5 – Published: 2026-07-14 21:45 – Updated: 2026-07-15 17:39
    VLAI
    Title
    jadx: HTML Injection in Summary panel
    Summary
    jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    skylot jadx Affected: < 1.5.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42447",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T17:39:21.622156Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T17:39:26.549Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.6,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T21:45:33.878Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/skylot/jadx/security/advisories/GHSA-jwv3-q635-w9m4"
            },
            {
              "name": "https://github.com/skylot/jadx/commit/7713655feeb8e1c4b80797e8fc0e8eb1550b65ef",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/commit/7713655feeb8e1c4b80797e8fc0e8eb1550b65ef"
            },
            {
              "name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
            }
          ],
          "source": {
            "advisory": "GHSA-jwv3-q635-w9m4",
            "discovery": "UNKNOWN"
          },
          "title": "jadx: HTML Injection in Summary panel"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42447",
        "datePublished": "2026-07-14T21:45:33.878Z",
        "dateReserved": "2026-04-27T13:55:58.693Z",
        "dateUpdated": "2026-07-15T17:39:26.549Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42049 (GCVE-0-2026-42049)

    Vulnerability from cvelistv5 – Published: 2026-07-14 21:44 – Updated: 2026-07-15 13:26
    VLAI
    Title
    jadx: RCE Via Groovy Code Injection in Gradle Export
    Summary
    jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    skylot jadx Affected: < 1.5.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42049",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T13:20:40.319570Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T13:26:06.033Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 8.4,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T21:44:25.018Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/skylot/jadx/security/advisories/GHSA-w6f5-h4x4-rfpj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/skylot/jadx/security/advisories/GHSA-w6f5-h4x4-rfpj"
            },
            {
              "name": "https://github.com/skylot/jadx/commit/5a6e660b4663d998d52c7dc4511299f3368ef611",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/commit/5a6e660b4663d998d52c7dc4511299f3368ef611"
            },
            {
              "name": "https://github.com/skylot/jadx/releases/tag/v1.5.6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/releases/tag/v1.5.6"
            }
          ],
          "source": {
            "advisory": "GHSA-w6f5-h4x4-rfpj",
            "discovery": "UNKNOWN"
          },
          "title": "jadx: RCE Via Groovy Code Injection in Gradle Export"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42049",
        "datePublished": "2026-07-14T21:44:25.018Z",
        "dateReserved": "2026-04-23T16:05:01.709Z",
        "dateUpdated": "2026-07-15T13:26:06.033Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-32653 (GCVE-0-2024-32653)

    Vulnerability from cvelistv5 – Published: 2024-04-22 22:13 – Updated: 2024-08-02 02:13
    VLAI
    Title
    Insufficient input filtering of "package name" allows command execution in the device with shell privileges
    Summary
    jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    skylot jadx Affected: < 1.5.0
    Create a notification for this product.
    skylot jadx Affected: 0 , < 1.5.0 (semver)
        cpe:2.3:a:skylot:jadx:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:skylot:jadx:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jadx",
                "vendor": "skylot",
                "versions": [
                  {
                    "lessThan": "1.5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32653",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-23T15:17:46.461498Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-06T17:32:11.148Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:13:40.330Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm"
              },
              {
                "name": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109"
              },
              {
                "name": "https://github.com/skylot/jadx/releases/tag/v1.5.0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/skylot/jadx/releases/tag/v1.5.0"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "jadx is a  Dex to Java decompiler. Prior to version 1.5.0,  the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-22T22:13:47.917Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/skylot/jadx/security/advisories/GHSA-3pp3-hg2q-9gpm"
            },
            {
              "name": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/blob/9114821fb12558874e01421bf38b0d34fb39df72/jadx-gui/src/main/java/jadx/gui/device/protocol/ADBDevice.java#L108-L109"
            },
            {
              "name": "https://github.com/skylot/jadx/releases/tag/v1.5.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/releases/tag/v1.5.0"
            }
          ],
          "source": {
            "advisory": "GHSA-3pp3-hg2q-9gpm",
            "discovery": "UNKNOWN"
          },
          "title": "Insufficient input filtering of \"package name\" allows command execution in the device with shell privileges"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-32653",
        "datePublished": "2024-04-22T22:13:47.917Z",
        "dateReserved": "2024-04-16T14:15:26.876Z",
        "dateUpdated": "2024-08-02T02:13:40.330Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-39259 (GCVE-0-2022-39259)

    Vulnerability from cvelistv5 – Published: 2022-10-21 00:00 – Updated: 2025-04-22 17:18
    VLAI
    Title
    Jadx-gui subject to Denial of Service via Swing HTML rendering
    Summary
    jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    skylot jadx Affected: < 1.4.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:00:43.352Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/skylot/jadx/security/advisories/GHSA-3r7j-8mqh-6qhx"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-39259",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-22T15:43:22.956688Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-22T17:18:05.407Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.4.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-10-21T00:00:00.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/skylot/jadx/security/advisories/GHSA-3r7j-8mqh-6qhx"
            }
          ],
          "source": {
            "advisory": "GHSA-3r7j-8mqh-6qhx",
            "discovery": "UNKNOWN"
          },
          "title": "Jadx-gui subject to Denial of Service via  Swing HTML rendering"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-39259",
        "datePublished": "2022-10-21T00:00:00.000Z",
        "dateReserved": "2022-09-02T00:00:00.000Z",
        "dateUpdated": "2025-04-22T17:18:05.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0219 (GCVE-0-2022-0219)

    Vulnerability from cvelistv5 – Published: 2022-01-20 16:30 – Updated: 2024-08-02 23:18
    VLAI
    Title
    Improper Restriction of XML External Entity Reference in skylot/jadx
    Summary
    Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    skylot skylot/jadx Affected: unspecified , < 1.3.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:18:42.982Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "skylot/jadx",
              "vendor": "skylot",
              "versions": [
                {
                  "lessThan": "1.3.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-20T16:30:11.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
            }
          ],
          "source": {
            "advisory": "0d093863-29e8-4dd7-a885-64f76d50bf5e",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Restriction of XML External Entity Reference in skylot/jadx",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-0219",
              "STATE": "PUBLIC",
              "TITLE": "Improper Restriction of XML External Entity Reference in skylot/jadx"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "skylot/jadx",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.3.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "skylot"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611 Improper Restriction of XML External Entity Reference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/0d093863-29e8-4dd7-a885-64f76d50bf5e"
                },
                {
                  "name": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52",
                  "refsource": "MISC",
                  "url": "https://github.com/skylot/jadx/commit/d22db30166e7cb369d72be41382bb63ac8b81c52"
                }
              ]
            },
            "source": {
              "advisory": "0d093863-29e8-4dd7-a885-64f76d50bf5e",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-0219",
        "datePublished": "2022-01-20T16:30:11.000Z",
        "dateReserved": "2022-01-13T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:18:42.982Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }