Summaryinfo

A vulnerability described as critical has been identified in TeamJCD JoyConDroid up to 1.0.93. Affected by this issue is some unknown functionality of the file app/src/main/java/com/rdapps/gamepad/util. Executing a manipulation can lead to path traversal. This vulnerability is tracked as CVE-2026-4741. The attack can be launched remotely. No exploit exists. Applying a patch is advised to resolve this issue.

Detailsinfo

A vulnerability was found in TeamJCD JoyConDroid up to 1.0.93. It has been declared as critical. This vulnerability affects an unknown code block of the file app/src/main/java/com/rdapps/gamepad/util. The manipulation with an unknown input leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TeamJCD JoyConDroid (app/src/main/java/com/rdapps/gamepad/util modules). This vulnerability is associated with program files UnzipUtil.Java‎. This issue affects JoyConDroid: through 1.0.93.

The advisory is shared for download at github.com. This vulnerability was named CVE-2026-4741 since 03/24/2026. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1006.

It is declared as attacked.

Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• TeamJCD

Name

• JoyConDroid

Version

• 1.0.0
• 1.0.1
• 1.0.2
• 1.0.3
• 1.0.4
• 1.0.5
• 1.0.6
• 1.0.7
• 1.0.8
• 1.0.9
• 1.0.10
• 1.0.11
• 1.0.12
• 1.0.13
• 1.0.14
• 1.0.15
• 1.0.16
• 1.0.17
• 1.0.18
• 1.0.19
• 1.0.20
• 1.0.21
• 1.0.22
• 1.0.23
• 1.0.24
• 1.0.25
• 1.0.26
• 1.0.27
• 1.0.28
• 1.0.29
• 1.0.30
• 1.0.31
• 1.0.32
• 1.0.33
• 1.0.34
• 1.0.35
• 1.0.36
• 1.0.37
• 1.0.38
• 1.0.39
• 1.0.40
• 1.0.41
• 1.0.42
• 1.0.43
• 1.0.44
• 1.0.45
• 1.0.46
• 1.0.47
• 1.0.48
• 1.0.49
• 1.0.50
• 1.0.51
• 1.0.52
• 1.0.53
• 1.0.54
• 1.0.55
• 1.0.56
• 1.0.57
• 1.0.58
• 1.0.59
• 1.0.60
• 1.0.61
• 1.0.62
• 1.0.63
• 1.0.64
• 1.0.65
• 1.0.66
• 1.0.67
• 1.0.68
• 1.0.69
• 1.0.70
• 1.0.71
• 1.0.72
• 1.0.73
• 1.0.74
• 1.0.75
• 1.0.76
• 1.0.77
• 1.0.78
• 1.0.79
• 1.0.80
• 1.0.81
• 1.0.82
• 1.0.83
• 1.0.84
• 1.0.85
• 1.0.86
• 1.0.87
• 1.0.88
• 1.0.89
• 1.0.90
• 1.0.91
• 1.0.92
• 1.0.93

Website

• Product: https://github.com/TeamJCD/JoyConDroid/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion