Code Execution Vulnerability in jadx Decompiler by Skylot
CVE-2026-42049
8.4HIGH
What is CVE-2026-42049?
The jadx decompiler has a vulnerability in which the android:versionName from an AndroidManifest is inserted into the generated app/build.gradle Groovy template without proper sanitation. This allows a malicious APK to escape the string context, leading to the execution of attacker-controlled Groovy code on the victim's machine when the exported Gradle project is opened or built. This vulnerability is addressed in version 1.5.6 and highlights the importance of using sanitized inputs in project templates.
Affected Version(s)
jadx < 1.5.6
