46 matches found
CVE-2026-54684
CVE-2026-54684 — jadx (Dex to Java decompiler) Affected versions: 1.5.2 to 1.5.5. The vulnerability arises when processing a malicious .xapk file: XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check, allowing an attacker to write archive...
CVE-2026-42447
CVE-2026-42447 affects jadx (Dex to Java decompiler). The HTML injection occurs in the Summary tab via SummaryNode.java, which unescapes and inserts path components from an APK’s .so file entries into HTML without escaping. A malicious APK with a crafted HTML URL-encoded ZIP entry name can render...
CVE-2026-42049
CVE-2026-42049 affects jadx (Dex to Java decompiler). Before 1.5.6, exporting a decompiled APK as an Android Gradle project could cause the android:versionName from the manifest to be inserted into the generated app/build.gradle Groovy template without proper sanitization, enabling opening or bui...
PT-2026-58858
Name of the Vulnerable Software and Affected Versions jadx versions 1.5.2 through 1.5.5 Description A path traversal issue exists where a malicious .xapk file can cause the application to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory...
CVE-2022-0219
Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2...
EUVD-2022-7005
Malicious code in bioql PyPI...
EUVD-2022-0685
Malicious code in bioql PyPI...
CVE-2024-32653
jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for...
CVE-2022-39259
jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds...
Improper Input Validation
jadx is vulnerable to Improper Input Validation. The vulnerability is due to lack of filtering of the package name before concatenation, allowing an attacker to inject arbitrary code into the package name, which could be exploited to execute commands with shell privileges...
Path Traversal
io.github.skylot:jadx-core is vulnerable to Path Traversal. The vulnerability is due to improper handling of escape characters in resource files and insufficient validation in processing zip files. This can lead to the possibility of overwriting other files in the directory when saving the...
CVE-2024-32653
jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for...
CVE-2024-32653
CVE-2024-32653 concerns Jadx, a Dex-to-Java decompiler. Before 1.5.0, the package name is not filtered prior to concatenation, enabling an attacker to inject arbitrary code into the package name and execute commands with shell privileges. The affected version is fixed in 1.5.0, which contains a p...
CVE-2024-32653 Insufficient input filtering of "package name" allows command execution in the device with shell privileges
jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for...
JADX file override vulnerability
Summary when jadx parses a resource file, there is an escape problem with the style file, which can overwrite other files in the directory when saving the decompile result. Although I don't think this vulnerability realizes path traversal in the true sense of the word , I reported it anyway Detai...
GHSA-HVP5-5X4F-33FQ JADX file override vulnerability
Summary when jadx parses a resource file, there is an escape problem with the style file, which can overwrite other files in the directory when saving the decompile result. Although I don't think this vulnerability realizes path traversal in the true sense of the word , I reported it anyway Detai...
PT-2024-24747 · Jadx · Jadx
Name of the Vulnerable Software and Affected Versions: jadx versions prior to 1.5.0 Description: The issue concerns a Dex to Java decompiler where the package name is not filtered before concatenation, allowing an attacker to inject arbitrary code into the package name. This can be exploited to...
PT-2024-40332 · Jadx · Jadx
Name of the Vulnerable Software and Affected Versions: jadx affected versions not specified Description: The issue arises when jadx parses a resource file, specifically with an escape problem related to style files. This can lead to overwriting other files in the directory when saving the...
Skylot Jadx 安全漏洞
Skylot Jadx is a Dex to Java decompiler. A security vulnerability exists in Skylot Jadx versions prior to 1.5.0 that stems from insufficient input filtering of the package name, which allows an attacker to execute commands in a device with shell privileges...
CVE-2022-39259
jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds...