Code Execution Vulnerability in jadx Decompiler by Skylot
CVE-2026-42049

8.4HIGH

Key Information:

Vendor

Skylot

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-42049?

The jadx decompiler has a vulnerability in which the android:versionName from an AndroidManifest is inserted into the generated app/build.gradle Groovy template without proper sanitation. This allows a malicious APK to escape the string context, leading to the execution of attacker-controlled Groovy code on the victim's machine when the exported Gradle project is opened or built. This vulnerability is addressed in version 1.5.6 and highlights the importance of using sanitized inputs in project templates.

Affected Version(s)

jadx < 1.5.6

References

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.