Description
Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user-supplied values directly into SQL queries without escaping or parameterization. Remote attackers can inject arbitrary SQL via the BSim network query protocol to read, modify, or delete data in the PostgreSQL database.
Published: 2026-06-10
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ghidra versions prior to 12.1 allow a database-level injection flaw through the BSim filter types. The flaw arises because user-supplied filter values are concatenated directly into SQL queries without any escaping or parameterization. An attacker who can send crafted BSim network queries can inject arbitrary SQL, which may then be executed against the PostgreSQL database used by Ghidra. This vulnerability permits the reading, modification, or deletion of database contents, exposing sensitive data and potentially compromising the integrity of Ghidra’s analysis environment.

Affected Systems

The affected product is the National Security Agency’s Ghidra, a software reverse engineering suite. Versions of Ghidra earlier than 12.1 contain the vulnerable BSim component. The vulnerability is specific to the BSim network query mechanism used within Ghidra, which is typically exposed through local or network connections to the Ghidra application.

Risk and Exploitability

The CVSS score of 8.7 classifies this flaw as high severity. Although an EPSS score is not provided, the vulnerability is known to be exploitable through remote network access to the BSim interface. It is not listed in the CISA KEV catalog. Attackers with network access to the BSim protocol can craft malicious queries that bypass input validation, leading to uncontrolled SQL execution. The lack of parameterization gives the attacker full control over the SQL statement, providing a clear path to database compromise.

Generated by OpenCVE AI on June 10, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghidra to version 12.1 or later, which removes the unescaped SQL construction in BSim.
  • Limit or block external network traffic to the BSim query interface so that only trusted hosts can communicate with Ghidra.
  • If an upgrade cannot be performed immediately, disable the BSim network query protocol or remove the BSim component from the Ghidra deployment to eliminate the attack surface.

Generated by OpenCVE AI on June 10, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user-supplied values directly into SQL queries without escaping or parameterization. Remote attackers can inject arbitrary SQL via the BSim network query protocol to read, modify, or delete data in the PostgreSQL database.
Title Ghidra < 12.1 - SQL Injection via Unescaped Filter Values in BSim Search
First Time appeared Nsa
Nsa ghidra
Weaknesses CWE-89
CPEs cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*
Vendors & Products Nsa
Nsa ghidra
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nsa Ghidra
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T13:41:02.636Z

Reserved: 2026-06-08T15:20:09.274Z

Link: CVE-2026-52758

cve-icon Vulnrichment

Updated: 2026-06-10T13:40:03.467Z

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:36.170

Modified: 2026-06-10T15:16:41.307

Link: CVE-2026-52758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:00:13Z

Weaknesses