CVE-2026-52758: Ghidra < 12.1 - SQL Injection via Unescaped Filter Values in BSim Search

Synopsis

SQL injection in Ghidra's BSim search feature affects versions 11.0 through 12.1 (exclusive). The vulnerability is reachable over the network by any authenticated user with a low-privilege account, because BSim filter values are concatenated directly into SQL queries without escaping or parameterization. Successful exploitation gives an attacker full read, write, and delete access to the underlying PostgreSQL database. A patched-image rebuild at version 12.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The BSim query protocol is exposed over the network, so the attacker must be able to reach the service from a remote host.

• AuthenticationRequired

  Any low-privilege account is sufficient; no admin or special permissions are needed to submit BSim filter queries.

• Victim interactionNot required

  The attacker sends a crafted query directly to the BSim endpoint; no user action or social engineering is needed.

• Attack complexityDetail

  Exploitation is reliable and condition-free: the injection point requires no special timing, memory layout knowledge, or environmental pre-conditions.

Blast Radius

• Reads arbitrary rows from the PostgreSQL database, including stored analysis results, project metadata, and any credentials or tokens persisted there.
• Modifies or overwrites persisted database rows, allowing an attacker to corrupt analysis data or tamper with stored binary function signatures.
• Deletes database records, permanently destroying BSim analysis history or other data stored in the PostgreSQL instance.
• All three impacts (confidentiality, integrity, availability) are rated HIGH, meaning a single injected query can chain read, write, and delete operations in one request.