HIGH🇵🇱 Wersja polska

CVE-2026-52750

CVSS 8.4v4.0pub. 2026-06-10upd. 2026-06-11

Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click.

CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Nsa Ghidra

    APP
    Nsa
    < 12.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-22671CRITICAL9.8ten sam produkt

Ghidra/RuntimeScripts/Linux/support/launch.sh in NSA Ghidra through 10.2.2 passes user-provided input into eva...

CVE-2019-16941CRITICAL9.8ten sam produkt

NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML F...

CVE-2019-13625CRITICAL9.1ten sam produkt

NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrate...

CVE-2026-49498HIGH8.7ten sam produkt

Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunct...

CVE-2026-52751HIGH8.6ten sam produkt

Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connecti...