Arbitrary Write Vulnerability in jadx Decompiler Versions 1.5.2 to 1.5.5
CVE-2026-54684

7HIGH

Key Information:

Vendor

Skylot

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-54684?

The vulnerability in versions 1.5.2 to 1.5.5 of the jadx decompiler allows an attacker to exploit misleading entry name resolution via malicious .xapk files. This security issue may lead to arbitrary file writing outside the designated unpack directory. As a consequence, it is possible for an attacker to plant a JAR file in a critical plugins directory, with the next execution of jadx potentially loading and executing malicious plugin code. To mitigate this risk, users are advised to update to version 1.5.6, which addresses the issue.

Affected Version(s)

jadx >= 1.5.2, < 1.5.6

References

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.