HTML Injection Vulnerability in jadx-gui by jadx
CVE-2026-42447
3.6LOW
What is CVE-2026-42447?
The jadx-gui tool, a Dex to Java decompiler, contains an HTML injection vulnerability that allows attackers to render arbitrary HTML through manipulated APK files. Specifically, the Summary tab improperly handles values extracted from .so file paths, enabling a malicious APK with an HTML URL-encoded ZIP entry name to execute out-of-band requests or reveal sensitive information like the victim's IP address. This vulnerability is addressed in version 1.5.6.
Affected Version(s)
jadx < 1.5.6
