๐Ÿ” CVE Alert

CVE-2026-42049

UNKNOWN 0.0

jadx: RCE Via Groovy Code Injection in Gradle Export

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Android Gradle project. A malicious APK can break out of the string context so that opening or building the exported Gradle project executes attacker-controlled Groovy code on the victim machine. This issue is fixed in version 1.5.6.

CWE CWE-94
Vendor skylot
Product jadx
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for skylot jadx

Be the first to know when new unknown vulnerabilities affecting skylot jadx are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

skylot / jadx
< 1.5.6

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/skylot/jadx/security/advisories/GHSA-w6f5-h4x4-rfpj github.com: https://github.com/skylot/jadx/commit/5a6e660b4663d998d52c7dc4511299f3368ef611 github.com: https://github.com/skylot/jadx/releases/tag/v1.5.6