Description
A Remote Code Execution vulnerability in P4 (Helix Core) Server's Command-Line Client, prior to the 2025.2 Patch 2, has been fixed to address potential security risks.
Published: 2026-05-18
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Remote Code Execution vulnerability exists in the command‑line client of Perforce P4 (Helix Core) before the 2025.2 Patch 2 upgrade. This flaw (CWE-94) allows attackers to inject and execute arbitrary code on the server, potentially compromising confidentiality, integrity, and availability of the server and its data.

Affected Systems

Perforce P4 (Helix Core) servers running versions prior to 2025.2 Patch 2 are affected.

Risk and Exploitability

The CVSS score of 7.7 classifies it as high severity. EPSS score of 0.00047 indicates an extremely low exploitation probability, and the vulnerability is not listed in KEV, suggesting limited known exploitation. Nevertheless, as the flaw enables remote code execution via the command‑line interface, the potential damage is high. Without a patch, attackers could gain full control of the server by supplying malicious input when using the client.

Generated by OpenCVE AI on May 20, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to P4 Server 2025.2 Patch 2 or later, which contains the fix.
  • Disable or restrict access to the command‑line client for untrusted users if an immediate upgrade is not possible.
  • Apply sandboxing or application‑layer firewall rules to limit the commands that can be executed via the client as a temporary mitigation.

Generated by OpenCVE AI on May 20, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in Command-Line Client in P4 Server prior to the 2025.2 Patch 2, identified as CVE-2026-6902, has been fixed in P4 Server to address potential security risks. A Remote Code Execution vulnerability in P4 (Helix Core) Server's Command-Line Client, prior to the 2025.2 Patch 2, has been fixed to address potential security risks.

Tue, 19 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Perforce
Perforce helix Core
Vendors & Products Perforce
Perforce helix Core

Mon, 18 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 18 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in Command-Line Client in P4 Server prior to the 2025.2 Patch 2, identified as CVE-2026-6902, has been fixed in P4 Server to address potential security risks.
Title Code Injection in Perforce P4 (Helix Core)
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Perforce Helix Core
cve-icon MITRE

Status: PUBLISHED

Assigner: Perforce

Published:

Updated: 2026-05-20T05:49:13.390Z

Reserved: 2026-04-23T09:27:12.742Z

Link: CVE-2026-6902

cve-icon Vulnrichment

Updated: 2026-05-18T12:42:39.195Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-18T09:16:24.283

Modified: 2026-05-20T07:16:16.187

Link: CVE-2026-6902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T08:30:25Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')