Description
Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click.
Published: 2026-06-10
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ghidra before version 12.1 on Windows contains a command injection flaw in the URL annotation click handler. When users open a comment that contains a malicious URL, the tool does not properly escape cmd.exe metacharacters, allowing execution of arbitrary shell commands under the privileges of the Ghidra user. This flaw gives an attacker the ability to run any command, creating a command execution risk on the machine running Ghidra.

Affected Systems

The vulnerability affects Ghidra versions prior to 12.1 released the National Security Agency, specifically the Windows build. Any installation of Ghidra on Windows that has not been updated to 12.1 or later is susceptible.

Risk and Exploitability

The CVSS score of 8.4 reflects a high severity, and the EPSS score is currently unavailable. The flaw is not listed in the CISA KEV catalog, but it remains a significant local attack vector. Exploitation requires an end‑user to open a malicious URL annotation, typically achievable by providing a crafted Ghidra project or comment. Once the user clicks the annotated link, the attacker’s commands are executed, granting full control under the Ghidra process identity.

Generated by OpenCVE AI on June 10, 2026 at 14:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghidra to version 12.1 or later, which removes the unescaped metacharacter handling in URL annotations.
  • If an upgrade is not immediately possible, sanitize project files by removing or editing malicious URL annotations before opening them with Ghidra.
  • Restrict user interactions with project comments by disabling annotation clicks or limiting project file sources to trusted contributors.

Generated by OpenCVE AI on June 10, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click.
Title Ghidra < 12.1- Command Injection via URL Annotation Click
First Time appeared Nsa
Nsa ghidra
Weaknesses CWE-88
CPEs cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*
Vendors & Products Nsa
Nsa ghidra
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nsa Ghidra
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T14:44:11.645Z

Reserved: 2026-06-08T15:20:09.273Z

Link: CVE-2026-52750

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:35.050

Modified: 2026-06-10T14:16:35.050

Link: CVE-2026-52750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:15:06Z

Weaknesses