High severity7.1NVD Advisory· Published Apr 23, 2026· Updated Apr 27, 2026

CVE-2026-6940

Description

radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.

Affected products

Radare/Radare2
cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*
Range: <6.1.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/radareorg/radare2/pull/25830/commitsnvdIssue TrackingPatch
github.com/radareorg/radare2/pull/25830nvdExploitIssue TrackingThird Party Advisory
www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-directory-deletionnvdThird Party Advisory

News mentions

A Deep Dive Into Attempted Exploitation of CVE-2023-33538
Unit 42 · Apr 16, 2026

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000