Skip to main content

P4 Server EUVDEUVD-2026-30747

| CVE-2026-6902 HIGH
Code Injection (CWE-94)
2026-05-18 Perforce GHSA-9fr9-58h7-gj3c
7.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 18, 2026 - 09:30 vuln.today
CVSS changed
May 18, 2026 - 09:22 NVD
7.7 (HIGH)

DescriptionCVE.org

A vulnerability in Command-Line Client in P4 Server prior to the 2025.2 Patch 2, identified as CVE-2026-6902, has been fixed in P4 Server to address potential security risks.

AnalysisAI

Code injection vulnerability in the Command-Line Client of P4 Server (Helix Core) prior to version 2025.2 Patch 2 allows remote attackers to execute arbitrary code. The vulnerability requires user interaction but no authentication, with a CVSS 7.7 score indicating high impact across confidentiality, integrity, and availability. Perforce has released a patch in version 2025.2 Patch 2.

Technical ContextAI

P4 Server, also known as Helix Core, is Perforce's version control system used for managing source code and digital assets. The vulnerability affects the command-line client component and is classified as CWE-94 (Improper Control of Generation of Code), indicating that user-supplied input can be interpreted as executable code. The CPE identifier confirms this affects all versions of Helix Core prior to the patched release.

RemediationAI

Upgrade P4 Server to version 2025.2 Patch 2 or later, which contains the fix for this vulnerability. The patch is available from Perforce and should be applied immediately to all affected installations. No specific workarounds are documented in the advisory. Organizations unable to patch immediately should restrict access to the P4 command-line client to trusted users only and monitor for suspicious command-line activity, though this provides limited protection against user interaction-based attacks.

Share

EUVD-2026-30747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy