CVE-2026-54684 jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run
jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolvefileName after a...