CVE-2026-52750

Source
https://cve.org/CVERecord?id=CVE-2026-52750
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52750.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52750
Aliases
  • GHSA-5c38-3rf3-gp75
Published
2026-06-10T12:39:03.699Z
Modified
2026-07-08T08:05:23.152741486Z
Severity
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Ghidra < 12.1- Command Injection via URL Annotation Click
Details

Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52750.json",
    "cwe_ids": [
        "CWE-88"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/nationalsecurityagency/ghidra

Affected ranges

Type
GIT
Repo
https://github.com/nationalsecurityagency/ghidra
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "12.1"
        }
    ]
}

Affected versions

Ghidra_10.*
Ghidra_10.3_build
Ghidra_9.*
Ghidra_9.0.1_build

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52750.json"