Skip to main content

Ghidra CVE-2026-52750

| EUVDEUVD-2026-36008 HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-06-10 VulnCheck
8.4
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

7
Patch available
Jun 10, 2026 - 15:01 EUVD
Analysis Updated
Jun 10, 2026 - 14:37 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 10, 2026 - 14:37 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 10, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 10, 2026 - 14:22 NVD
7.8 (HIGH) 8.4 (HIGH)
Analysis Generated
Jun 10, 2026 - 14:03 vuln.today
CVE Published
Jun 10, 2026 - 12:39 nvd
HIGH 7.8

DescriptionCVE.org

Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click.

AnalysisAI

Command injection in Ghidra versions before 12.1 on Windows allows attackers to execute arbitrary OS commands under the Ghidra user's privileges when a victim clicks a maliciously crafted URL embedded in a program comment annotation. The flaw stems from improper escaping of cmd.exe metacharacters in URL annotation handling, and exploitation requires user interaction (UI:A). No public exploit identified at time of analysis, though VulnCheck published a dedicated advisory alongside the NSA's GitHub security advisory.

Technical ContextAI

Ghidra is the National Security Agency's open-source software reverse-engineering (SRE) framework, widely used by malware analysts and security researchers to disassemble and decompile binaries. Program listings in Ghidra support URL annotations that can be embedded inside code comments and clicked from the UI. On Windows, the URL launch path eventually invokes the system shell (cmd.exe) without properly neutralizing shell metacharacters such as &, |, ^, and quoted argument delimiters - the exact behavior described by CWE-88 (Improper Neutralization of Argument Delimiters in a Command, aka 'Argument Injection'). Because cmd.exe parses these characters before the intended URL handler ever sees them, an attacker who controls the annotation contents can append or substitute arbitrary commands. The CPE 'cpe:2.3:a:nationalsecurityagency:ghidra:*' covers all Ghidra builds prior to the 12.1 release.

RemediationAI

Upgrade to Ghidra 12.1 or later, which is the vendor-released patched version per the NSA advisory GHSA-5c38-3rf3-gp75 (https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-5c38-3rf3-gp75). Until upgrading, Windows analysts should avoid clicking URL annotations in any Ghidra project sourced from an untrusted party (shared GZF/GAR archives, sample-sharing sites, CTF distributions), and should review or strip URL annotations from comments before opening untrusted projects - the trade-off is loss of legitimate URL navigation convenience. Running Ghidra on Linux or macOS, or inside a disposable Windows VM with no access to lab credentials, also blunts impact at the cost of workflow disruption; refer to VulnCheck's writeup at https://www.vulncheck.com/advisories/ghidra-command-injection-via-url-annotation-click for additional indicators.

More in Ghidra

View all
CVE-2023-22671 CRITICAL POC
9.8 Jan 06

Ghidra/RuntimeScripts/Linux/support/launch.sh in NSA Ghidra through 10.2.2 passes user-provided input into eval, leading

CVE-2019-16941 CRITICAL POC
9.8 Sep 28

NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files featu

CVE-2019-13625 CRITICAL POC
9.1 Jul 17

NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a pro

CVE-2019-17665 HIGH POC
7.8 Oct 16

NSA Ghidra before 9.0.2 is vulnerable to DLL hijacking because it loads jansi.dll from the current working directory. Ra

CVE-2019-13623 HIGH POC
7.8 Jul 17

In NSA Ghidra before 9.1, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive)

CVE-2026-4946 HIGH
8.8 Mar 29

Command injection in NSA Ghidra (versions before 12.0.3) executes arbitrary commands when analysts click on maliciously

CVE-2026-52758 HIGH
8.7 Jun 10

SQL injection in Ghidra's BSim binary-similarity component (versions before 12.1) allows authenticated remote attackers

CVE-2026-52754 HIGH
8.7 Jun 10

Authentication bypass in NSA Ghidra versions prior to 12.1 allows any holder of a valid CA-signed certificate to imperso

CVE-2026-49498 HIGH
8.7 Jun 10

SQL injection in Ghidra's PostgreSQL collaboration backend (versions 11.0 through pre-12.1) allows authenticated users t

CVE-2026-52751 HIGH
8.6 Jun 10

Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens

CVE-2026-52755 HIGH
8.4 Jun 10

Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the

CVE-2026-52752 HIGH
8.4 Jun 10

Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking

Share

CVE-2026-52750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy