Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TeamJCD JoyConDroid (app/src/main/java/com/rdapps/gamepad/util modules). This vulnerability is associated with program files UnzipUtil.Java‎.

This issue affects JoyConDroid: through 1.0.93.
Published: 2026-03-24
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted file read via path traversal in JoyConDroid
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a path traversal flaw in the UnzipUtil module of the JoyConDroid application. It allows an attacker to craft a ZIP archive that contains filenames designed to navigate outside the intended extraction directory. When the application processes such a file, it may read or save files located anywhere on the device’s file system, including sensitive configuration or user data. The flaw can lead to information disclosure and potentially compromise application integrity.

Affected Systems

TeamJCD JoyConDroid is affected in all releases up to and including version 1.0.93. No later version is listed as affected.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity level. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker supplying a malicious ZIP file to the device, either by social engineering or by other means of file transfer, after which the application extracts the archive and is able to read arbitrary files. The vulnerability can be exploited with minimal effort if the app is executed with sufficient privileges to traverse the file system.

Generated by OpenCVE AI on March 24, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JoyConDroid to a version newer than 1.0.93, as the fix is included in subsequent releases
  • If an upgrade is not immediately possible, block or disable the UnzipUtil functionality until a patch is applied
  • Verify that no ZIP files are processed from untrusted sources and monitor the application directories for unauthorized file access

Generated by OpenCVE AI on March 24, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Teamjcd
Teamjcd joycondroid
Vendors & Products Teamjcd
Teamjcd joycondroid

Tue, 24 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TeamJCD JoyConDroid (app/src/main/java/com/rdapps/gamepad/util modules). This vulnerability is associated with program files UnzipUtil.Java‎. This issue affects JoyConDroid: through 1.0.93.
Title Path Traversal Vulnerability in TeamJCD/JoyConDroid
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:N/AU:Y/R:U/V:D/RE:L/U:Amber'}

Subscriptions

Teamjcd Joycondroid
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-03-24T14:34:06.274Z

Reserved: 2026-03-24T03:21:57.389Z

Link: CVE-2026-4741

cve-icon Vulnrichment

Updated: 2026-03-24T14:34:02.635Z

cve-icon NVD

Status : Deferred

Published: 2026-03-24T04:17:29.367

Modified: 2026-04-30T16:01:57.470

Link: CVE-2026-4741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:40:18Z

Weaknesses