Lucene search
+L

54 matches found

NVD
NVD
added 4 days ago8 views

CVE-2026-54684

jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolvefileName after a...

7CVSS0.00133EPSS
Exploits0References3
NVD
NVD
added 4 days ago8 views

CVE-2026-42049

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the...

8.4CVSS0.00151EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-54684 jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run

jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolvefileName after a...

7CVSS0.00133EPSS
Exploits0References3
CVE
CVE
added 4 days ago11 views

CVE-2026-54684

CVE-2026-54684 — jadx (Dex to Java decompiler) Affected versions: 1.5.2 to 1.5.5. The vulnerability arises when processing a malicious .xapk file: XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check, allowing an attacker to write archive...

7CVSS6.2AI score0.00133EPSS
Exploits0References3
OSV
OSV
added 4 days ago4 views

CVE-2026-54684 jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run

jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolvefileName after a...

7CVSS6.2AI score0.00133EPSS
Exploits0References5
Cvelist
Cvelist
added 4 days ago33 views

CVE-2026-42447 jadx: HTML Injection in Summary panel

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK wit...

3.6CVSS0.00139EPSS
Exploits0References3
CVE
CVE
added 4 days ago11 views

CVE-2026-42447

CVE-2026-42447 affects jadx (Dex to Java decompiler). The HTML injection occurs in the Summary tab via SummaryNode.java, which unescapes and inserts path components from an APK’s .so file entries into HTML without escaping. A malicious APK with a crafted HTML URL-encoded ZIP entry name can render...

3.6CVSS6.2AI score0.00139EPSS
Exploits0References3
OSV
OSV
added 4 days ago6 views

CVE-2026-42447 jadx: HTML Injection in Summary panel

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK wit...

3.6CVSS6.2AI score0.00139EPSS
Exploits0References5
OSV
OSV
added 4 days ago7 views

CVE-2026-42049 jadx: RCE Via Groovy Code Injection in Gradle Export

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the...

8.4CVSS6.2AI score0.00151EPSS
Exploits0References5
CVE
CVE
added 4 days ago14 views

CVE-2026-42049

CVE-2026-42049 affects jadx (Dex to Java decompiler). Before 1.5.6, exporting a decompiled APK as an Android Gradle project could cause the android:versionName from the manifest to be inserted into the generated app/build.gradle Groovy template without proper sanitization, enabling opening or bui...

8.4CVSS6.2AI score0.00151EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-42049 jadx: RCE Via Groovy Code Injection in Gradle Export

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the...

8.4CVSS0.00151EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-58858

Name of the Vulnerable Software and Affected Versions jadx versions 1.5.2 through 1.5.5 Description A path traversal issue exists where a malicious .xapk file can cause the application to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory...

7CVSS6.3AI score0.00133EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/01/09 9:12 a.m.8 views

CVE-2022-0219

Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2...

5.5CVSS6.8AI score0.01059EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2022-7005

Malicious code in bioql PyPI...

5.5CVSS5.6AI score0.00312EPSS
Exploits1References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2022-0685

Malicious code in bioql PyPI...

5.5CVSS5.5AI score0.01059EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2025/05/23 8:37 a.m.10 views

CVE-2024-32653

jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for...

6.1CVSS7.7AI score0.00236EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 10:6 p.m.22 views

CVE-2022-39259

jadx is a set of command line and GUI tools for producing Java source code from Android Dex and Apk files. versions prior to 1.4.5 are subject to a Denial of Service when opening zip files with HTML sequences. This issue has been patched in version 1.4.5. There are no known workarounds...

5.5CVSS6.9AI score0.00312EPSS
Exploits1References1
Veracode
Veracode
added 2024/04/23 6:42 p.m.22 views

Improper Input Validation

jadx is vulnerable to Improper Input Validation. The vulnerability is due to lack of filtering of the package name before concatenation, allowing an attacker to inject arbitrary code into the package name, which could be exploited to execute commands with shell privileges...

6.1CVSS7.7AI score0.00236EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/04/23 6:56 a.m.14 views

Path Traversal

io.github.skylot:jadx-core is vulnerable to Path Traversal. The vulnerability is due to improper handling of escape characters in resource files and insufficient validation in processing zip files. This can lead to the possibility of overwriting other files in the directory when saving the...

7AI score
Exploits0
NVD
NVD
added 2024/04/22 11:15 p.m.14 views

CVE-2024-32653

jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for...

6.1CVSS6.7AI score0.00236EPSS
Exploits0References3
Rows per page
Query Builder