Path Traversal Vulnerability in Apktool Affects Reverse Engineering of Android APK Files
CVE-2026-39973

7.1HIGH

Key Information:

Vendor

Ibotpeaches

Status
Apktool
Vendor
CVE Published:
21 April 2026

What is CVE-2026-39973?

A path traversal vulnerability exists in Apktool versions 3.0.0 and 3.0.1, where a maliciously crafted APK can exploit the absence of path sanitization. By incorporating ../ sequences in the resource file structure, an attacker can manipulate the output paths during the decoding process (apktool d) and write files to arbitrary locations on the filesystem. This flaw allows potential unauthorized access to sensitive files, thereby posing a significant security risk. The vulnerability was addressed in version 3.0.2, which reinstated the necessary path sanitation measures.

Affected Version(s)

Apktool >= 3.0.0, < 3.0.2

References

https://github.com/iBotPeaches/Apktool/security/advisorie...
x_refsource_CONFIRM
https://github.com/iBotPeaches/Apktool/pull/4041
x_refsource_MISC
https://github.com/iBotPeaches/Apktool/commit/e10a0450c7a...
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.