CVE-2026-6902 PUBLISHED

Code Injection in Perforce P4 (Helix Core)

Assigner: Perforce
Reserved: 23.04.2026 Published: 18.05.2026 Updated: 18.05.2026

A vulnerability in Command-Line Client in P4 Server prior to the 2025.2 Patch 2, identified as CVE-2026-6902, has been fixed in P4 Server to address potential security risks.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
CVSS Score: 7.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	Low
Attack Requirements	Present	Availability	High	Availability	Low
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Perforce
Product	P4 (Helix Core)
Versions	Default: unaffected affected from 0 to P4 (Helix Core) 2025.2 Patch 2 (excl.)

References

https://portal.perforce.com/s/cve/a91Qi000002zJB3IAM/code-injection-in-perforce-helix-core

Problem Types

CWE-94 Code Injection CWE