EUVD-2026-36014Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers can craft malicious theme ZIP files with traversal sequences in filenames to execute arbitrary code or modify sensitive files like .bashrc or .ssh/authorized_keys.
AnalysisAI
Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the theme directory via Zip Slip path traversal sequences in malicious theme ZIP archives, leading to code execution or credential compromise. The flaw requires user interaction (importing the booby-trapped theme) and is exploited locally against the user running Ghidra. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to manually import an attacker-supplied theme ZIP archive through Ghidra's theme import functionality (UI:A - user interaction is mandatory per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 base score 8.4 reflects high confidentiality, integrity, and availability impact on the vulnerable component (VC:H/VI:H/VA:H) but is gated by local attack vector (AV:L) and required user interaction (UI:A) - the victim must actively import the malicious theme. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a visually appealing Ghidra theme ZIP on a reverse-engineering forum, Discord server, or GitHub repo. The archive contains an entry named '../../../../home/victim/.ssh/authorized_keys' holding the attacker's public key; when a researcher uses File → Import Theme, the traversal writes the key and grants persistent SSH access to the analyst's workstation. … |
| Remediation | Upgrade to Vendor-released patch: Ghidra 12.0.4 or later, available from the NSA Ghidra GitHub releases page and referenced in advisory GHSA-3r55-xjr4-jh8f (https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-3r55-xjr4-jh8f). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Ghidra installations across security and development teams and identify regular users. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens
Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking
Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application
Uncontrolled resource consumption in Ghidra's Mach-O binary parser (versions 10.2 through pre-12.1) allows a crafted bin
Uncontrolled memory allocation in Ghidra's rust_demangle function (versions before 12.0.3) allows a denial-of-service co
Share
External POC / Exploit Code
Leaving vuln.today