Arbitrary Write Vulnerability in jadx Decompiler Versions 1.5.2 to 1.5.5
CVE-2026-54684
7HIGH
What is CVE-2026-54684?
The vulnerability in versions 1.5.2 to 1.5.5 of the jadx decompiler allows an attacker to exploit misleading entry name resolution via malicious .xapk files. This security issue may lead to arbitrary file writing outside the designated unpack directory. As a consequence, it is possible for an attacker to plant a JAR file in a critical plugins directory, with the next execution of jadx potentially loading and executing malicious plugin code. To mitigate this risk, users are advised to update to version 1.5.6, which addresses the issue.
Affected Version(s)
jadx >= 1.5.2, < 1.5.6
