High severity7.1NVD Advisory· Published Apr 23, 2026· Updated Apr 27, 2026
CVE-2026-6940
CVE-2026-6940
Description
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/radareorg/radare2/pull/25830/commitsnvdIssue TrackingPatch
- github.com/radareorg/radare2/pull/25830nvdExploitIssue TrackingThird Party Advisory
- www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-directory-deletionnvdThird Party Advisory
News mentions
0No linked articles in our index yet.