CVE-2026-42447 in jadx
Summary
by MITRE • 07/15/2026
jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx-gui is affected by an HTML injection vulnerability in the Summary tab because SummaryNode.java appends arches and perArchCount values derived from .so file path components inside an APK into an HTML panel without escaping. A malicious APK with an HTML URL-encoded ZIP entry name can force rendering of arbitrary HTML, perform out-of-band requests, disclose the victim IP address, or interact with locally exposed applications. This issue is fixed in version 1.5.6.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The jadx decompiler suite presents a critical security vulnerability in its graphical user interface component that affects versions prior to 1.5.6. This HTML injection flaw resides within the Summary tab functionality where the application processes and displays information about Android application packages. The vulnerability stems from improper input validation and sanitization of data extracted from native library file paths within APK archives, specifically targeting the arches and perArchCount values that are dynamically incorporated into HTML output panels.
The technical implementation of this vulnerability occurs in the SummaryNode.java file where the decompiler extracts information from .so file path components and directly appends these values into HTML content without appropriate HTML escaping or sanitization measures. When processing maliciously crafted APK files containing specially constructed ZIP entry names with HTML URL-encoded sequences, the application fails to properly filter user-supplied data before rendering it within the graphical interface. This creates an environment where attacker-controlled content can be executed as part of the HTML document structure.
The operational impact of this vulnerability extends beyond simple cross-site scripting scenarios to encompass several dangerous attack vectors that align with common web application exploitation patterns. An attacker capable of delivering a malicious APK file can force the victim's jadx-gui application to render arbitrary HTML content, potentially enabling out-of-band communication channels that could be used for data exfiltration or command and control operations. The vulnerability also presents opportunities for IP address disclosure attacks where local network information might be exposed through embedded requests or script execution within the compromised interface. Additionally, the attack surface expands to include potential interaction with locally running applications that may be accessible through the victim's network stack.
This vulnerability maps directly to CWE-79 which defines Cross-Site Scripting (XSS) conditions in web applications and related systems. The flaw demonstrates characteristics consistent with CWE-116 which covers improper encoding or escaping of output, specifically in contexts where HTML content is generated dynamically from untrusted input sources. From an attack framework perspective, this vulnerability aligns with ATT&CK technique T1059.007 for command and scripting interpreter, particularly when considering the potential for arbitrary code execution through embedded script tags or other malicious HTML content. The mitigation strategy requires proper input sanitization and output escaping mechanisms to prevent user-supplied data from being interpreted as executable HTML markup.
The fix implemented in jadx version 1.5.6 addresses this vulnerability by ensuring that all data extracted from APK file paths undergoes appropriate HTML escaping before being rendered in the Summary tab's HTML panel. This remediation follows standard security practices for preventing XSS attacks in web and desktop applications, where user-supplied inputs are properly sanitized before being incorporated into dynamic content generation processes. The update demonstrates a robust approach to input validation that prevents maliciously crafted data from bypassing security controls and executing unintended code within the application's rendering context.
The vulnerability serves as an example of how desktop applications handling file processing and extraction can introduce security risks similar to traditional web applications, particularly when dealing with untrusted user input. The issue highlights the importance of maintaining consistent security practices across all application components regardless of their execution environment or interface type. Proper validation and sanitization of data extracted from archives and file system operations remains critical for preventing injection-based attacks that could compromise application integrity or user systems.
Security practitioners should consider this vulnerability when evaluating desktop application security postures, particularly in environments where users may encounter untrusted APK files or where applications process third-party binary content without adequate input validation. The remediation approach used by jadx developers provides a valuable reference implementation for other applications facing similar challenges with dynamic HTML generation from potentially malicious data sources. Organizations should ensure that all software components handling user-provided file content implement appropriate sanitization and escaping mechanisms to prevent similar injection vulnerabilities from manifesting in their own systems.