CVE-2026-52750

Analyzed Analyzed - Analysis Complete

Command Injection in Ghidra via URL Annotation on Windows

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: VulnCheck

Description

Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-10

Last Modified

2026-06-11

Generated

2026-06-30

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-29

NVD

CVE-2026-52750

EUVD

EUVD-2026-36008

Affected Vendors & Products

Vendor	Product	Version / Range
nsa	ghidra	to 12.1 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-88	The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Attack-Flow Graph

Executive Summary

CVE-2026-52750 is a high-severity command injection vulnerability in Ghidra versions before 12.1 that affects Windows systems. The flaw occurs because when Ghidra opens URLs embedded in program comments using {@url ...} annotations, it uses the Windows command interpreter cmd.exe without properly escaping special metacharacters such as &, |, ^, <, and >. This improper escaping allows attackers to craft malicious URLs containing these metacharacters, which when clicked by a user, cause arbitrary commands to be executed under the privileges of the Ghidra user.

The vulnerability arises from the way Ghidra calls cmd.exe with the command line 'cmd.exe /c start <URL>', passing the URL directly to Runtime.getRuntime().exec(String[]) without neutralizing dangerous characters. Because cmd.exe re-parses the command line and treats metacharacters as command separators, attackers can inject additional commands that run on the victim's machine. Exploitation requires only that a user clicks a malicious URL annotation in a Ghidra project or program.

Impact Analysis

This vulnerability allows attackers to execute arbitrary commands on the victim's system with the same privileges as the Ghidra user. This can lead to unauthorized access to sensitive files, execution of malicious software, and potential compromise of confidential artifacts or internal networks.

Since exploitation only requires a user to click a malicious URL annotation, it poses a significant risk especially to analysts and security professionals who open untrusted Ghidra projects, including threat intelligence teams, SOC analysts, and malware reverse engineers. It also affects multi-user Ghidra Server repositories and automated pipelines that generate URL annotations from untrusted input.

Detection Guidance

This vulnerability involves malicious URLs embedded in Ghidra program comments that execute arbitrary commands when clicked on Windows systems. Detection involves identifying such malicious URL annotations within Ghidra projects or monitoring for suspicious command executions triggered by cmd.exe.

Since the vulnerability is triggered by clicking on {@url ...} annotations containing cmd.exe metacharacters, you can inspect Ghidra project files or comments for suspicious URL patterns containing characters like &, |, ^, <, > which are used to inject commands.

On the system, monitoring process creation events for cmd.exe with unusual arguments or multiple commands separated by metacharacters can help detect exploitation attempts.

Search Ghidra project files or comments for URL annotations with suspicious metacharacters: grep -r '@url .*[&|^<>]' /path/to/ghidra/projects
Monitor Windows event logs or use Sysinternals Process Monitor to detect cmd.exe executions with suspicious arguments.
Use PowerShell to check for recent cmd.exe processes with suspicious command lines: Get-WinEvent -FilterHashtable @{LogName='Security';ID=4688} | Where-Object {$_.Message -match 'cmd.exe.*[&|^<>]'}

Mitigation Strategies

The primary mitigation is to upgrade Ghidra to version 12.1 or later, where this command injection vulnerability has been fixed.

As a temporary workaround before upgrading, users should avoid clicking on {@url ...} annotations from untrusted or unknown sources within Ghidra projects.

Additionally, restrict or monitor the use of Ghidra on Windows systems to trusted projects only, and consider applying application whitelisting or process monitoring to detect suspicious cmd.exe executions.

Compliance Impact

The vulnerability allows attackers to execute arbitrary commands with the privileges of the Ghidra user, potentially leading to unauthorized access to sensitive files, confidential artifacts, or internal networks.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Hi! I’m here to help you understand CVE-2026-52750. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70