Home

Description

Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click.

PUBLISHED Reserved 2026-06-08 | Published 2026-06-10 | Updated 2026-06-10 | Assigner VulnCheck




HIGH: 7.3CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Product status

Default status
unaffected

Any version before 12.1
affected

12.1 (custom)
unaffected

Credits

Ruffalo Lavoisier reporter

References

github.com/...ghidra/security/advisories/GHSA-5c38-3rf3-gp75 (GitHub Security Advisory (GHSA-5c38-3rf3-gp75)) vendor-advisory

www.vulncheck.com/...mand-injection-via-url-annotation-click third-party-advisory

cve.org (CVE-2026-52750)

nvd.nist.gov (CVE-2026-52750)

Download JSON