RCE in Skylot Jadx

CVE-2026-42049

jadx is a Dex to Java decompiler. Prior to 1.5.6, jadx inserts the android:versionName value from an AndroidManifest into the generated app/build.gradle Groovy template without proper sanitization when exporting a decompiled APK as an Andr…

Vulnerability class: RCE (Remote Code Execution)

Affected products

Weakness classification (CWE)

References