{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39973", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-08T00:01:47.627Z", "datePublished": "2026-04-21T01:35:22.396Z", "dateUpdated": "2026-04-23T03:56:04.482Z"}, "containers": {"cna": {"title": "Apktool: Path Traversal to Arbitrary File Write", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-m8mh-x359-vm8m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-m8mh-x359-vm8m"}, {"name": "https://github.com/iBotPeaches/Apktool/pull/4041", "tags": ["x_refsource_MISC"], "url": "https://github.com/iBotPeaches/Apktool/pull/4041"}, {"name": "https://github.com/iBotPeaches/Apktool/commit/e10a0450c7afcd9462c0b76bcbff0e7428b92bdd#diff-cd531ebe1014bfd18185bf21585ca5cdb16fbcb07703ebc47949a1b4e4e36bc3", "tags": ["x_refsource_MISC"], "url": "https://github.com/iBotPeaches/Apktool/commit/e10a0450c7afcd9462c0b76bcbff0e7428b92bdd#diff-cd531ebe1014bfd18185bf21585ca5cdb16fbcb07703ebc47949a1b4e4e36bc3"}, {"name": "https://github.com/iBotPeaches/Apktool/releases/tag/v3.0.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/iBotPeaches/Apktool/releases/tag/v3.0.2"}], "affected": [{"vendor": "iBotPeaches", "product": "Apktool", "versions": [{"version": ">= 3.0.0, < 3.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T01:35:22.396Z"}, "descriptions": [{"lang": "en", "value": "Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding (`apktool d`). This is a security regression introduced in commit e10a045 (PR #4041, December 12, 2025), which removed the `BrutIO.sanitizePath()` call that previously prevented path traversal in resource file output paths. An attacker can embed `../` sequences in the `resources.arsc` Type String Pool to escape the output directory and write files to arbitrary locations, including `~/.ssh/config`, `~/.bashrc`, or Windows Startup folders, escalating to RCE. The fix in version 3.0.2 re-introduces `BrutIO.sanitizePath()` in `ResFileDecoder.java` before file write operations."}], "source": {"advisory": "GHSA-m8mh-x359-vm8m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-39973"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T03:56:04.482Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39973", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T13:33:04.001508Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:33:08.739Z"}}], "cna": {"title": "Apktool: Path Traversal to Arbitrary File Write", "source": {"advisory": "GHSA-m8mh-x359-vm8m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "iBotPeaches", "product": "Apktool", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.0.2"}]}], "references": [{"url": "https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-m8mh-x359-vm8m", "name": "https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-m8mh-x359-vm8m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/iBotPeaches/Apktool/pull/4041", "name": "https://github.com/iBotPeaches/Apktool/pull/4041", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/iBotPeaches/Apktool/commit/e10a0450c7afcd9462c0b76bcbff0e7428b92bdd#diff-cd531ebe1014bfd18185bf21585ca5cdb16fbcb07703ebc47949a1b4e4e36bc3", "name": "https://github.com/iBotPeaches/Apktool/commit/e10a0450c7afcd9462c0b76bcbff0e7428b92bdd#diff-cd531ebe1014bfd18185bf21585ca5cdb16fbcb07703ebc47949a1b4e4e36bc3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/iBotPeaches/Apktool/releases/tag/v3.0.2", "name": "https://github.com/iBotPeaches/Apktool/releases/tag/v3.0.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding (`apktool d`). This is a security regression introduced in commit e10a045 (PR #4041, December 12, 2025), which removed the `BrutIO.sanitizePath()` call that previously prevented path traversal in resource file output paths. An attacker can embed `../` sequences in the `resources.arsc` Type String Pool to escape the output directory and write files to arbitrary locations, including `~/.ssh/config`, `~/.bashrc`, or Windows Startup folders, escalating to RCE. The fix in version 3.0.2 re-introduces `BrutIO.sanitizePath()` in `ResFileDecoder.java` before file write operations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T01:35:22.396Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39973", "state": "PUBLISHED", "dateUpdated": "2026-04-21T13:33:14.677Z", "dateReserved": "2026-04-08T00:01:47.627Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T01:35:22.396Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apktool:apktool:*:*:*:*:*:*:*:*", "matchCriteriaId": "3AB0F220-1C11-421A-B777-AF3FA75A7830", "versionEndExcluding": "3.0.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding (`apktool d`). This is a security regression introduced in commit e10a045 (PR #4041, December 12, 2025), which removed the `BrutIO.sanitizePath()` call that previously prevented path traversal in resource file output paths. An attacker can embed `../` sequences in the `resources.arsc` Type String Pool to escape the output directory and write files to arbitrary locations, including `~/.ssh/config`, `~/.bashrc`, or Windows Startup folders, escalating to RCE. The fix in version 3.0.2 re-introduces `BrutIO.sanitizePath()` in `ResFileDecoder.java` before file write operations."}], "id": "CVE-2026-39973", "lastModified": "2026-04-23T15:39:26.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-21T02:16:07.903", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/iBotPeaches/Apktool/commit/e10a0450c7afcd9462c0b76bcbff0e7428b92bdd#diff-cd531ebe1014bfd18185bf21585ca5cdb16fbcb07703ebc47949a1b4e4e36bc3"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/iBotPeaches/Apktool/pull/4041"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/iBotPeaches/Apktool/releases/tag/v3.0.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-m8mh-x359-vm8m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Apktool", "source": "cna", "vendor": "iBotPeaches"}, "product": "apktool", "vendor": "ibotpeaches"}], "analysis": {"en": {"generated_at": "2026-04-21T15:30:12.857096+00:00", "value": {"mitigation_remediation": ["Upgrade Apktool to version 3.0.2 or later, which restores proper path sanitization.", "If unable to upgrade immediately, never run apktool with APK files from untrusted sources; isolate the process in a sandbox with limited file system access.", "Configure the system to disable write permissions for critical directories such as ~/.ssh, ~/.bashrc, or Windows startup folders, or monitor file creation events to detect anomalous writes."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Apktool project by iBotPeaches. The affected releases are 3.0.0 and 3.0.1. The advisory indicates that version 3.0.2 addresses the issue by restoring path sanitization before file writes.", "description_and_impact": "A path traversal flaw in Apktool versions 3.0.0 and 3.0.1 allows a maliciously crafted APK to write files outside the intended output directory. By inserting \"../\" sequences into the resource file, the decoder can overwrite arbitrary files such as ~/.ssh/config, ~/.bashrc, or Windows startup programs, potentially leading to remote code execution. The vulnerability is a classic filesystem traversal error (CWE-22).", "risk_and_exploitability": "The CVSS score of 7.1 denotes significant risk. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog, indicating no known active exploitation at this time. Exploitation requires the attacker to supply a malicious APK and execute apktool's decode command locally; therefore the threat is primarily local or within an environment where influenced users run apktool. The flaw could be mitigated by applying the patch or abstracting the decoding process so that untrusted files are never processed."}}}}, "created": "2026-04-21T15:37:55.177469+00:00", "updated": "2026-04-22T11:46:54.485444+00:00", "vendors": ["ibotpeaches", "ibotpeaches$PRODUCT$apktool"]}