HTML Injection Vulnerability in jadx-gui by jadx
CVE-2026-42447

3.6LOW

Key Information:

Vendor

Skylot

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-42447?

The jadx-gui tool, a Dex to Java decompiler, contains an HTML injection vulnerability that allows attackers to render arbitrary HTML through manipulated APK files. Specifically, the Summary tab improperly handles values extracted from .so file paths, enabling a malicious APK with an HTML URL-encoded ZIP entry name to execute out-of-band requests or reveal sensitive information like the victim's IP address. This vulnerability is addressed in version 1.5.6.

Affected Version(s)

jadx < 1.5.6

References

CVSS V3.1

Score:
3.6
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.