CVE-2026-52752
Received Received - Intake
Path Traversal in Ghidra Extension Installer

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious extensions with traversal sequences like ../ in filenames to write arbitrary files outside the intended directory, enabling code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-52752
EUVD
EUVD-2026-36011
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
national_security_agency ghidra to 12.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-52752 is a path traversal vulnerability in Ghidra versions before 12.0.2, specifically in the extension installer component.

The vulnerability occurs because the installer does not properly validate ZIP entry names during extraction. Attackers can craft malicious extension ZIP files containing traversal sequences like "../" in filenames.

This allows the attacker to write arbitrary files outside the intended extension directory, potentially overwriting important files in the user's system.

As a result, this can enable arbitrary code execution on the victim's machine.

Impact Analysis

This vulnerability can have serious impacts including unauthorized file writes outside the intended directory.

An attacker can place malicious files such as scripts or configuration files (e.g., ".bashrc" or "EXPLOIT.sh") in sensitive locations like the user's home directory.

This can lead to arbitrary code execution without requiring further user interaction, potentially allowing attackers to run malicious payloads on the affected system.

The overall impact affects confidentiality, integrity, and availability of the system.

Detection Guidance

This vulnerability involves malicious ZIP archives containing path traversal sequences like "../" in filenames used by Ghidra's extension installer. Detection can focus on identifying suspicious ZIP files or unexpected files placed outside the intended extension directories.

You can scan for recently extracted files in user home directories or other unexpected locations that might have been created by a malicious extension installation.

  • Check for suspicious files such as ".bashrc" or "EXPLOIT.sh" in user home directories that could have been placed by the exploit.
  • Use commands to search for ZIP files containing traversal sequences in their entries, for example:
  • unzip -l suspicious_extension.zip | grep "\.\./"
  • Find recently modified or created files outside the expected Ghidra extension directory:
  • find $HOME -type f -mtime -7

Monitoring logs for extension installation activities and unexpected file writes during these operations can also help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade Ghidra to version 12.0.2 or later, where the vulnerability has been fixed by validating ZIP entry paths before extraction.

Until the upgrade is applied, avoid installing extensions from untrusted sources to prevent exploitation via malicious ZIP archives.

Additionally, review and remove any suspicious files that may have been placed outside the intended directories by previous exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52752. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart