Skip to main content

Ghidra CVE-2026-52752

| EUVD-2026-36011 HIGH
Path Traversal (CWE-22)
2026-06-10 VulnCheck
RCE Path Traversal Ghidra
8.4
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

6
Patch available
Jun 10, 2026 - 15:01 EUVD
Analysis Updated
Jun 10, 2026 - 14:35 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 10, 2026 - 14:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 10, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 10, 2026 - 14:22 NVD
7.8 (HIGH) 8.4 (HIGH)
Analysis Generated
Jun 10, 2026 - 14:06 vuln.today

DescriptionCVE.org

Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious extensions with traversal sequences like ../ in filenames to write arbitrary files outside the intended directory, enabling code execution.

AnalysisAI

Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking a user into installing a malicious extension archive. The extension installer fails to sanitize ZIP entry names, enabling classic Zip Slip path traversal that writes files outside the intended extension directory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious extension ZIP with ../ entries
Delivery
Distribute via fake plugin repo or forum
Exploit
Victim installs extension in Ghidra
Execution
Installer extracts without path validation
Persist
Files written to startup or script paths
Impact
Code executes as Ghidra user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim manually install an attacker-supplied Ghidra extension ZIP via the extension installer (File > Install Extensions or equivalent), per CVSS UI:A (user interaction required) and AV:L (local vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 vector AV:L/AC:L/AT:N/PR:N/UI:A scores 8.4 (High), reflecting local attack vector with required user interaction but no privileges and high impact on confidentiality, integrity, and availability of the vulnerable component. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a trojanized Ghidra extension - for example, a fake update to a popular analysis plugin posted on GitHub or a forum - whose ZIP contains entries like '../../../../home/analyst/.bashrc' or '../../Ghidra/Features/Base/ghidra_scripts/auto_run.py'. When the targeted reverse engineer uses File > Install Extensions to load the archive, the installer writes attacker-controlled files outside the extension directory, achieving code execution the next time the user opens a shell, restarts Ghidra, or runs the trojaned script. …
Remediation Upgrade Ghidra to version 12.0.2 or later, which contains the upstream fix per advisory GHSA-jhc2-q7qf-9c25 (https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-jhc2-q7qf-9c25); see also the VulnCheck advisory at https://www.vulncheck.com/advisories/ghidra-path-traversal-in-extension-installer-via-zip-entry-names. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Ghidra installations across the organization and notify users to avoid installing extensions from untrusted sources; audit current extension sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-52751 HIGH
8.6 Jun 10

Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens
CVE-2026-52755 HIGH
8.4 Jun 10

Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the

CVE-2026-49496 MEDIUM
6.9 Jun 10

Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application

CVE-2026-49495 MEDIUM
6.7 Jun 10

Uncontrolled resource consumption in Ghidra's Mach-O binary parser (versions 10.2 through pre-12.1) allows a crafted bin
CVE-2026-52753 MEDIUM
6.7 Jun 10

Uncontrolled memory allocation in Ghidra's rust_demangle function (versions before 12.0.3) allows a denial-of-service co

Share

CVE-2026-52752 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy