CVE-2026-52750

An attacker can embed a malicious URL within program comments in a Ghidra project. When a victim clicks this URL annotation, the unescaped URL is passed to cmd.exe, which re-parses the command line. This allows for arbitrary command execution under the privileges of the Ghidra user on Windows systems [ref_id=1]. Exploitation requires user interaction (a click) and does not need prior authentication or access to the victim's machine [ref_id=1].

The vulnerability lies in Ghidra's handling of URL annotations on Windows. Specifically, the `Runtime.getRuntime().exec(String[])` sink is reached via `BrowserLoader.java` and `URLAnnotatedStringHandler.java` [ref_id=1]. The default browser launch configuration on Windows uses `cmd.exe /c start <URL>`, and the URL string is passed verbatim without proper escaping of cmd metacharacters [ref_id=1].

The advisory recommends upgrading to Ghidra 12.1 or later. For users on older versions, the remediation is to avoid clicking URL annotations from untrusted program databases. The patch details are not provided in the bundle, but the vulnerability is addressed by properly escaping metacharacters that could be interpreted by cmd.exe [ref_id=1].