cbcvebase.

Nsa Ghidra vulnerabilities

22 known vulnerabilities affecting nsa/ghidra.

Total CVEs
22
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH11MEDIUM7LOW1

Vulnerabilities

Page 1 of 2
CVE-2019-13623P3HIGHCVSS 7.8PoC≤ 9.0.42019-07-17
CVE-2019-13623 [HIGH] CWE-22 CVE-2019-13623: In NSA Ghidra before 9.1, path traversal can occur in RestoreTask.java (from the package ghidra.app. In NSA Ghidra before 9.1, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis result is archived for sharing with other persons. To achi
nvd
CVE-2026-52751P2HIGHCVSS 8.8fixed in 12.12026-06-10
CVE-2026-52751 [HIGH] CWE-502 CVE-2026-52751: Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RM Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project, deserializes untrusted objects using a Jython 2.7.4 gadget chain to execute
nvd
CVE-2026-52754P2HIGHCVSS 8.8fixed in 12.12026-06-10
CVE-2026-52754 [HIGH] CWE-347 CVE-2026-52754: Ghidra before 12.1 contains an authentication bypass vulnerability in PKIAuthenticationModule.authen Ghidra before 12.1 contains an authentication bypass vulnerability in PKIAuthenticationModule.authenticate() that allows any user with a valid CA-signed certificate to impersonate other users by presenting their public certificate with a null signature. Attackers can escalate privileges, modify repository access controls, exfiltrate shared reverse eng
nvd
CVE-2026-52758P2HIGHCVSS 8.8≥ 11.0, < 12.12026-06-10
CVE-2026-52758 [HIGH] CWE-89 CVE-2026-52758: Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user-supplied values directly into SQL queries without escaping or parameterization. Remote attackers can inject arbitrary SQL via the BSim network query protocol to read, modify, or delete data in the PostgreSQL database.
nvd
CVE-2026-49498P3HIGHCVSS 8.8≥ 11.0, < 12.12026-06-10
CVE-2026-49498 [HIGH] CWE-89 CVE-2026-49498: Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of Pos Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL su
nvd
CVE-2026-4946P3HIGHCVSS 8.8fixed in 12.0.32026-03-29
CVE-2026-4946 [HIGH] CWE-78 CVE-2026-4946: Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically e Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (s
nvd
CVE-2023-22671P3CRITICALCVSS 9.8≤ 10.2.22023-01-06
CVE-2023-22671 [CRITICAL] CWE-77 CVE-2023-22671: Ghidra/RuntimeScripts/Linux/support/launch.sh in NSA Ghidra through 10.2.2 passes user-provided inpu Ghidra/RuntimeScripts/Linux/support/launch.sh in NSA Ghidra through 10.2.2 passes user-provided input into eval, leading to command injection when calling analyzeHeadless with untrusted input.
nvd
CVE-2019-16941P3CRITICALCVSS 9.8≤ 9.0.42019-09-28
CVE-2019-16941 [CRITICAL] CWE-91 CVE-2019-16941: NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was origina
nvd
CVE-2026-52750P3HIGHCVSS 7.8fixed in 12.12026-06-10
CVE-2026-52750 [HIGH] CWE-88 CVE-2026-52750: Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click.
nvd
CVE-2026-52756P3MEDIUMCVSS 6.5≤ 12.1.22026-06-10
CVE-2026-52756 [MEDIUM] CWE-22 CVE-2026-52756: Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that ac Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that accepts TCP connections and passes client-supplied namespace strings directly to filesystem operations without validation. Remote attackers can connect to port 54321 and send crafted protobuf messages with traversal sequences to enumerate filesystem path
nvd
CVE-2026-52755P3HIGHCVSS 7.8fixed in 12.0.42026-06-10
CVE-2026-52755 [HIGH] CWE-22 CVE-2026-52755: Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers can craft malicious theme ZIP files with traversal sequences in filenames to execute arbitrary code or modify sensitive files like .bashrc or .ssh/authorized_keys.
nvd
CVE-2019-13625P3CRITICALCVSS 9.1fixed in 9.0.12019-07-17
CVE-2019-13625 [CRITICAL] CWE-611 CVE-2019-13625: NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as d NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file.
nvd
CVE-2026-52752P3HIGHCVSS 7.8fixed in 12.0.22026-06-10
CVE-2026-52752 [HIGH] CWE-22 CVE-2026-52752: Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails t Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious extensions with traversal sequences like ../ in filenames to write arbitrary files outside the intended directory, enabling code execution.
nvd
CVE-2019-17664P4HIGHCVSS 7.8≤ 9.0.42019-10-16
CVE-2019-17664 [HIGH] CWE-426 CVE-2019-17664: NSA Ghidra through 9.0.4 uses a potentially untrusted search path. When executing Ghidra from a give NSA Ghidra through 9.0.4 uses a potentially untrusted search path. When executing Ghidra from a given path, the Java process working directory is set to this path. Then, when launching the Python interpreter via the "Ghidra Codebrowser > Window > Python" option, Ghidra will try to execute the cmd.exe program from this working directory.
nvd
CVE-2019-17665P4HIGHCVSS 7.8≤ 9.0.22019-10-16
CVE-2019-17665 [HIGH] CWE-427 CVE-2019-17665: NSA Ghidra before 9.0.2 is vulnerable to DLL hijacking because it loads jansi.dll from the current w NSA Ghidra before 9.0.2 is vulnerable to DLL hijacking because it loads jansi.dll from the current working directory.
nvd
CVE-2026-49496P4MEDIUMCVSS 6.1fixed in 12.12026-06-10
CVE-2026-49496 [MEDIUM] CWE-416 CVE-2026-49496: Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd caused by iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. Attackers can trigger memory corruption by decompiling malicious binaries through the public Sleigh::oneInstruction C++ API, affecting downstream SLE
nvd
CVE-2026-52753P4MEDIUMCVSS 5.5fixed in 12.0.32026-06-10
CVE-2026-52753 [MEDIUM] CWE-789 CVE-2026-52753: Ghidra before 12.0.3 contains an out-of-memory vulnerability in the rust_demangle function that allo Ghidra before 12.0.3 contains an out-of-memory vulnerability in the rust_demangle function that allocates unbounded output buffers without size limits. Attackers can craft malicious Rust symbol names in binaries to trigger exponential memory allocation, causing process crashes during binary analysis.
nvd
CVE-2026-49495P4MEDIUMCVSS 5.5≥ 10.2, < 12.12026-06-10
CVE-2026-49495 [MEDIUM] CWE-835 CVE-2026-49495: Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.pa Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that c
nvd
CVE-2026-52759P4MEDIUMCVSS 5.5fixed in 12.1.12026-06-10
CVE-2026-52759 [MEDIUM] CWE-789 CVE-2026-52759: Ghidra before 12.1.1 contains an uncontrolled memory allocation vulnerability in the Mach-O binary p Ghidra before 12.1.1 contains an uncontrolled memory allocation vulnerability in the Mach-O binary parser that allows attackers to cause denial of service. An attacker can supply a crafted Mach-O binary with an arbitrarily large ncmds load command count value, forcing the parser to allocate excessive heap memory without validating file size, crashin
nvd
CVE-2026-49497P4LOWCVSS 3.3fixed in 12.12026-06-10
CVE-2026-49497 [LOW] CWE-22 CVE-2026-49497: Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak CRC32 hashes of arbitrary files during automatic DWARF a
nvd
Nsa Ghidra vulnerabilities | cvebase