Ghidra · Ghidra · CVE-2026-52750
**Name of the Vulnerable Software and Affected Versions**
Ghidra versions prior to 12.1
**Description**
On Windows, improper escaping of `cmd.exe` metacharacters in URL annotation handling allows for command injection. This occurs when malicious URLs are embedded in program comments; if a user clicks these URLs, arbitrary commands can be executed with the privileges of the Ghidra user.
**Recommendations**
Update to version 12.1 or later.