Description
Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers can craft malicious theme ZIP files with traversal sequences in filenames to execute arbitrary code or modify sensitive files like .bashrc or .ssh/authorized_keys.
Published: 2026-06-10
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the theme import feature of Ghidra allows an attacker to construct a ZIP file containing filenames that traverse directories, thereby writing files outside the intended theme directory. The vulnerability can be exploited to overwrite critical files such as .bashrc or .ssh/authorized_keys, which may lead to arbitrary code execution or unauthorized privileged access. The weakness is classified as CWE‑22, an Absolute or Relative Path Traversal flaw.

Affected Systems

All installations of Ghidra with a version earlier than 12.0.4 from the National Security Agency include the vulnerable theme import functionality. No specific sub‑versions are listed; therefore any release prior to 12.0.4 is potentially affected.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity of the vulnerability. While the EPSS score is not available and the flaw is not currently in the CISA KEV catalog, the nature of the attack—requiring the submission of a malicious theme ZIP—suggests that exploitation is likely to be limited to environments where users have the ability to import themes, such as local users or remote users with access to the import interface. Once a malicious theme is imported, the attacker can influence files in the host filesystem, providing the ability to modify or replace critical configuration files.

Generated by OpenCVE AI on June 10, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghidra to version 12.0.4 or later, which removes the path traversal flaw in the theme import process.
  • If an upgrade is not immediately possible, disable the theme import feature or keep it available only to trusted administrators to prevent unverified ZIP files from being processed.
  • Ensure that the directory used for theme storage has strict permissions so that files written by the application cannot overwrite system files outside of the intended directory.

Generated by OpenCVE AI on June 10, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers can craft malicious theme ZIP files with traversal sequences in filenames to execute arbitrary code or modify sensitive files like .bashrc or .ssh/authorized_keys.
Title Ghidra < 12.0.4 - Path Traversal via Zip Slip in Theme Import
First Time appeared Nsa
Nsa ghidra
Weaknesses CWE-22
CPEs cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*
Vendors & Products Nsa
Nsa ghidra
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nsa Ghidra
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T14:45:20.146Z

Reserved: 2026-06-08T15:20:09.274Z

Link: CVE-2026-52755

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:35.747

Modified: 2026-06-10T14:16:35.747

Link: CVE-2026-52755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:00:13Z

Weaknesses