How is CVE-2026-52755 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required to deliver the malicious theme file. Authentication (not-required): No account credentials or privilege level are required; the vulnerability is exercised through the theme import UI without any authentication check. Victim interaction (required): A user must actively open or import the malicious theme ZIP file, making this a social-engineering vector where the attacker must convince the victim to load the crafted archive. Attack complexity (info): The exploit is reliable and condition-free once the victim loads the file; no race conditions, memory layout assumptions, or environmental factors are involved.

What is the impact of CVE-2026-52755?

Writes arbitrary files anywhere on the filesystem that the running user can reach, including shell startup scripts such as .bashrc to achieve persistent code execution on next login. Overwrites or appends to .ssh/authorized_keys, granting the attacker SSH access to the host without any further credentials. Modifies or replaces any user-writable configuration or binary, leading to full compromise of the local user account running Ghidra.

Back to search

HIGHCVE-2026-52755Published 2026-06-10Modified 2026-06-10CNA VulnCheck

CVE-2026-52755: Ghidra < 12.0.4 - Path Traversal via Zip Slip in Theme Import

Q: What is CVE-2026-52755?

A path traversal vulnerability (Zip Slip) in Ghidra's theme import functionality allows a crafted ZIP file to write files outside the intended theme directory. The attack requires local access and a user to open a malicious theme archive, but does not require any account credentials. Successful exploitation lets an attacker overwrite arbitrary files on the host, enabling code execution by tampering with files such as .bashrc or .ssh/authorized_keys. A patched-image rebuild at version 12.0.4 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-52755 fixed?

A patched-image rebuild at Ghidra 12.0.4 is available on HarborGuard for every affected image detected in customer registries and pipelines. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers can craft malicious theme ZIP files with traversal sequences in filenames to execute arbitrary code or modify sensitive files like .bashrc or .ssh/authorized_keys.

CVSS v4.0: 8.4
Severity: HIGH
Fixed in: 12.0.4
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability (Zip Slip) in Ghidra's theme import functionality allows a crafted ZIP file to write files outside the intended theme directory. The attack requires local access and a user to open a malicious theme archive, but does not require any account credentials. Successful exploitation lets an attacker overwrite arbitrary files on the host, enabling code execution by tampering with files such as .bashrc or .ssh/authorized_keys. A patched-image rebuild at version 12.0.4 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Ghidra. Any image running a Ghidra version below 12.0.4 is flagged automatically.

Available

Triage

Triage is available with the recorded CVSS v4.0 score of 8.4 (High), weighted against each customer environment's compliance policy to surface priority and route alerts to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild at Ghidra 12.0.4 is available on HarborGuard for every affected image detected in customer registries and pipelines. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to deliver the malicious theme file.
AuthenticationNot required
No account credentials or privilege level are required; the vulnerability is exercised through the theme import UI without any authentication check.
Victim interactionRequired
A user must actively open or import the malicious theme ZIP file, making this a social-engineering vector where the attacker must convince the victim to load the crafted archive.
Attack complexityDetail
The exploit is reliable and condition-free once the victim loads the file; no race conditions, memory layout assumptions, or environmental factors are involved.

Blast Radius

Writes arbitrary files anywhere on the filesystem that the running user can reach, including shell startup scripts such as .bashrc to achieve persistent code execution on next login.
Overwrites or appends to .ssh/authorized_keys, granting the attacker SSH access to the host without any further credentials.
Modifies or replaces any user-writable configuration or binary, leading to full compromise of the local user account running Ghidra.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image containing Ghidra below 12.0.4, covering both images pulled from public registries and custom-built images. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at Ghidra 12.0.4, runs a regression test, and opens a pull request against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the designated team inbox with the CVSS 8.4 score and fix version attached for manual review. Because this vulnerability requires a user to import a theme file, a compensating control in the interim is to restrict or disable the Ghidra theme import feature through tooling policy and to enforce file-integrity monitoring on sensitive files such as .ssh/authorized_keys and shell startup scripts.

See how HarborGuard automates this

Fix available

12.0.4

Affected packages

nationalsecurityagency / ghidra
< 12.0.4 (from 0)
Fixed in 12.0.4

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available