CVE-2026-6940

HIGH 7.1

radare2 < 6.1.4 Project Deletion Path Traversal Directory Deletion

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.

CWE	CWE-22
Vendor	radareorg
Product	radare2
Published	Apr 23, 2026

Stay Ahead of the Next One

Get instant alerts for radareorg radare2

Be the first to know when new high vulnerabilities affecting radareorg radare2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

radareorg / radare2

0 < 6.1.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/radareorg/radare2/pull/25830 github.com: https://github.com/radareorg/radare2/pull/25830/commits vulncheck.com: https://www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-directory-deletion

Credits

Chia Min Jun Lennon