CVE-2026-6941

low-risk

Published 2026-04-23

radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.6/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Radare2

Affected Vendors

Radare

References (3)

Patch https://github.com/radareorg/radare2/commit/4bcdee725ff0754ed721a98789c0af371c5f...

Exploit https://github.com/radareorg/radare2/pull/25831

Third Party Advisory https://www.vulncheck.com/advisories/radare2-project-notes-path-traversal-via-sy...

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal