Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in Command-Line Client in P4 Server prior to the 2025.2 Patch 2, identified as CVE-2026-6902, has been fixed in P4 Server to address potential security risks.
AnalysisAI
Code injection vulnerability in the Command-Line Client of P4 Server (Helix Core) prior to version 2025.2 Patch 2 allows remote attackers to execute arbitrary code. The vulnerability requires user interaction but no authentication, with a CVSS 7.7 score indicating high impact across confidentiality, integrity, and availability. Perforce has released a patch in version 2025.2 Patch 2.
Technical ContextAI
P4 Server, also known as Helix Core, is Perforce's version control system used for managing source code and digital assets. The vulnerability affects the command-line client component and is classified as CWE-94 (Improper Control of Generation of Code), indicating that user-supplied input can be interpreted as executable code. The CPE identifier confirms this affects all versions of Helix Core prior to the patched release.
RemediationAI
Upgrade P4 Server to version 2025.2 Patch 2 or later, which contains the fix for this vulnerability. The patch is available from Perforce and should be applied immediately to all affected installations. No specific workarounds are documented in the advisory. Organizations unable to patch immediately should restrict access to the P4 command-line client to trusted users only and monitor for suspicious command-line activity, though this provides limited protection against user interaction-based attacks.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30747
GHSA-9fr9-58h7-gj3c