CVE-2026-52755
Received Received - Intake
Path Traversal in Ghidra Theme Import

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers can craft malicious theme ZIP files with traversal sequences in filenames to execute arbitrary code or modify sensitive files like .bashrc or .ssh/authorized_keys.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-52755
EUVD
EUVD-2026-36014
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
national_security_agency ghidra to 12.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-52755 is a path traversal vulnerability in Ghidra's theme import functionality affecting versions before 12.0.4.

Attackers can craft malicious theme ZIP files containing directory traversal sequences (like "../") in filenames. When a user imports such a theme ZIP, the software extracts files without properly validating the file paths.

This allows attackers to write files outside the intended theme directory, potentially overwriting or creating files in sensitive locations where the user has write access.

Examples of sensitive files that can be modified include .bashrc, .profile, or .ssh/authorized_keys, which can lead to arbitrary code execution or unauthorized remote access.

Impact Analysis

This vulnerability can have serious impacts including arbitrary code execution and compromise of sensitive user files.

  • Attackers can execute arbitrary code by writing malicious files that run automatically.
  • Sensitive files such as .bashrc or .ssh/authorized_keys can be modified, potentially granting attackers unauthorized remote access.
  • The integrity, confidentiality, and availability of your system and data can be severely affected.
Detection Guidance

This vulnerability involves the import of malicious theme ZIP files containing path traversal sequences like "../" in filenames. Detection involves monitoring or inspecting theme import activities in Ghidra versions prior to 12.0.4.

You can check for suspicious ZIP files with traversal sequences by inspecting theme ZIP files before import. For example, use commands to list ZIP contents and look for filenames containing "../" or absolute paths.

  • Use the command: unzip -l suspicious_theme.zip | grep '\.\./'
  • Alternatively, use: zipinfo suspicious_theme.zip | grep '\.\./'

Additionally, monitor file system changes in user home directories for unexpected modifications to files like .bashrc or .ssh/authorized_keys after theme imports.

Mitigation Strategies

The primary mitigation is to upgrade Ghidra to version 12.0.4 or later, where the vulnerability has been fixed by validating file paths during theme import.

Until the upgrade is applied, avoid importing theme ZIP files from untrusted sources to prevent exploitation.

Review and monitor critical user files such as .bashrc, .profile, and .ssh/authorized_keys for unauthorized changes.

Compliance Impact

The vulnerability allows attackers to write arbitrary files outside the intended directory, potentially modifying sensitive files such as .bashrc or .ssh/authorized_keys. This can lead to unauthorized code execution or unauthorized access to sensitive data.

Such unauthorized access or modification of sensitive files could result in violations of data protection and security requirements mandated by common standards and regulations like GDPR and HIPAA, which require safeguarding the confidentiality, integrity, and availability of sensitive information.

Therefore, if exploited, this vulnerability could compromise compliance with these regulations by enabling unauthorized data access or system compromise.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52755. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart