VYPR
Medium severity6.6NVD Advisory· Published Apr 23, 2026· Updated Apr 27, 2026

CVE-2026-6941

CVE-2026-6941

Description

radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Radare/Radare22 versions
    cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*range: <6.1.4
    • (no CPE)range: <6.1.4

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.