CVE-2026-52758

Vulnerability

Ghidra versions prior to 12.1 contain a SQL injection vulnerability within multiple BSim filter types. These types directly concatenate user-supplied values from network-received XML protocol messages into SQL queries without proper escaping or parameterization. Specifically, ExecutableNameBSimFilterType.java, PathStartsBSimFilterType.java, and NotExecutableNameBSimFilterType.java are affected, while Md5BSimFilterType is not due to strict regex enforcement [1].

Exploitation

An attacker needs network access to the BSim server and the ability to send crafted XML protocol messages. The attacker can inject arbitrary SQL code by providing malicious values within these messages. The atom.value is read from the XML, normalized only by trimming whitespace, and then directly appended to SQL statements in methods like gatherSQLEffect() without any sanitization or escaping [1].

Impact

Successful exploitation allows a remote attacker to inject arbitrary SQL into database queries. This can lead to the reading, modification, or deletion of any data stored within the BSim PostgreSQL database. In environments where BSim is deployed and shared, this vulnerability compromises all stored binary analysis data [2].

Mitigation

Ghidra version 12.1 and later include a fix for this vulnerability. Users are strongly advised to upgrade to a patched version. No workarounds are specified in the available references, and the vulnerability is not listed as part of the CISA KEV catalog at this time [1, 2].