CVE-2026-39973

Name of the Vulnerable Software and Affected Versions Apktool versions 3.0.0 through 3.0.1

Description A path traversal issue in brut/androlib/res/decoder/ResFileDecoder.java allows a maliciously crafted APK to write arbitrary files to the filesystem during standard decoding using the apktool d command. This occurs because the BrutIO.sanitizePath() call, which previously prevented path traversal in resource file output paths, was removed. An attacker can embed ../ sequences in the resources.arsc Type String Pool to escape the output directory and write files to arbitrary locations, such as ~/.ssh/config, ~/.bashrc, or Windows Startup folders, potentially leading to remote code execution.

Recommendations Update to version 3.0.2.